Develop Reference

iOS AWS SNS Create platform application fail with error "There was an error reading the selected certificate."

After downloading my certificate from the apple developer portal, I successfully create a p12 file but whenever I try to create a platform application on aws, enter the certificate password, I just keep getting the error below.
There was an error reading the selected certificate. Verify the
password and try again.
I have tried with short and no passwords but nothing seems to accept the password.
Any ideas?

I was able to make this work, by doing the following:
Delete all old keys related to previous attempts in your Keychain > login (macos)
Request a new certificate from Request Certificate from Authority. Make sure no keys are selected when you execute this function.
I chose a single word in lowercase for Common name.
Add certificate to Apple Developer Portal
Download the CSR
Double click on the CSR to import the keys into your Keychain.
Your private key should have a dropdown with the certificate listed. My previous attempts did not have this. Export the p12.
The p12 worked in AWS SNS when entering the password, the public and private keys were extracted from the p12.

Invalid certificate (CSR)

I generate .certSigningRequest file via Keychain Access (Keychain Access -> Certificate Assistant -> Request a Certificate From a Certificate Authority..., I fill in my mail and I save it to disk).
When I log into Apple developer account and try to generate Certificate with it I get message: "Invalid CSR - Invalid Certificate"
I did this number of times previously with my previous Mac but it is not working on my new system.
What am I doing wrong? I have followed exact steps https://help.apple.com/developer-account/#/devbfa00fef7

I think this is a Apple error. you just need to simply refresh the website again and again or need to use another browser.

Just forgot to input 'Common name' in Certificate Assistant form.
So, make sure you filled
User Email Address
Common Name
Saved on disk check

How does spaceship gets the #id value for .cer files from Apple Developer Portal?

I have the .cer certificate that is downloaded from Apple Developer Portal of the client I don't have authentication for. I am running openssl x509 to read the .cer which doesn't shows any value that matches the #id (the name on the .cer and .p12 that gets uploaded to the fastlane managed repo) but the Team Id and Team Name
Please suggest how do I get the #id value locally when I can't get the certs using Spaceship (which does return the #id value once I login to Spaceship)?
Reference:
https://www.rubydoc.info/github/fastlane/spaceship/Spaceship/Certificate

I can answer one of your two questions:
How does spaceship gets the #id value for .cer files from Apple Developer Portal?
When spaceship creates a certificate it does so by sending a request to an API:
https://github.com/fastlane/fastlane/blob/75302f9f842fb1d7361dc1e769cdd7398022f4b4/spaceship/lib/spaceship/portal/certificate.rb#L309-L313
The response from that API call is used to create an object (via the new above) that also includes an id property:
https://github.com/fastlane/fastlane/blob/75302f9f842fb1d7361dc1e769cdd7398022f4b4/spaceship/lib/spaceship/portal/certificate.rb#L214-L253
That id is then used to define the filename the certificate is written to (unless you define a filename manually):
https://github.com/fastlane/fastlane/blob/f32b007ff45e648b37b6c9c2037ac481f36b7780/cert/lib/cert/runner.rb#L191-L195

CSR algorithm/size is incorrect.Expected RSA 2048

I am trying to integrate apple pay with braintree. I have followed up the following instructions to enable apple pay in the brain tree. In the first step, if you click on certificate signing request, it downloads a braintree_app_pay.certSigningRequest file which is used in the apple membership.
When I choose to create payment process certificate, I am getting the following error.

complimenting what #zepp said, you need to specify when creating CRS, and you can that by following the process below
Go to Keychain Access
Click on Certificate Assistance
Click on Request Certificate from Certificate Authority (click for image)
Enter all information and click on "Let me specify key pair Information"checkbox, then click on Continue
Select KeySize to be 256 and Algorithm to be ECC (click for image)
Then click on continue.

Full disclosure: I work at Braintree. If you have any further questions, feel free to contact our Support team.
Make sure you're selecting the Apple Pay Certificate option under Production (even if this is for a Sandbox; see the Braintree Apple Pay configuration docs for details) when choosing the type of certificate to add in the Apple Developer portal. Apple Pay CSRs should be generated with ECC, not RSA.
Here's what the CSR prompt screen should look like. Although you'll be uploading the CSR obtained from Braintree instead of generating one, note Apple's specifications for the key:

Please follow below steps[If use Apple Pay with stripe or any other payment gateway]:
Double click on CSR (Downloaded from Stripe), [It will open Certificate Assistant]
Click on Continue
Select 'Request a certificate from an existing CA', and Continue
In Certificate Information screen, Enter User Email Address, Common Name, Leave CA Email Address empty, Select 'Saved to disk & checked Let me specify key pair information' [Select your specific location and save]
In Key Pair Information screen, select 'ECC' algorithm & select Key size : 256 bits and continue.
Now use this CSR in your payment processing certificate.

This issue is not specific to Apple Pay or Braintree - I ran into the same issue when trying to create a CSR for getting a Safari certificate from Apple.
What's important to know is that you need to select the iCloud keychain before using the Request Certificate from Certificate Authority command. If you don't, another keychain may be active, causing wrong keys to be used.

From Apple Developer Forum
Within the Keychain Access drop down menu, select Keychain Access >
Certificate Assistant > Request a Certificate from a Certificate
Authority.
In the Certificate Information window, enter the following information:
In the User Email Address field, enter your email address.
In the Common Name field, create a name for your private key (e.g., John Doe Dev Key).
The CA Email Address field should be left empty.
In the "Request is" group, select the "Saved to disk" option.
Select "Let me specify key pair information".
Click Continue within Keychain Access and select the file location.
Set the Key Pair Information to the following:
Algorithm: ECC
Key Size: 256 bits Click
Continue within Keychain Access to complete the CSR generating process.

I don't get it, because it's said You must use the CSR we provide. Do not create a CSR file yourself on braintree website.
And with this CSR file, it's always failed on apple's upload page.
Edit:
I finally upload success with follow steps of #anjali-jariwala 's answer.
Just in last step, I choose RSA & 2048 as alert requirement.

For me I accidentally chose Yes when asked Will payments associated with this Merchant ID be processed exclusively in China?
Choosing No solved the issue for me

I had the same error. The mistake on my part was choosing the wrong type of certificate while creating it in the Apple developer portal. I used 'Apple Pay Merchant Identity Certificate', but I needed to use 'Apple Pay Payment Processing Certificate', which solved the issue.

How to obtain Certificate Signing Request

How do I obtain a Certificate Signing Request? All I'm trying to do is get my app running on my ipod touch. This was easy as I could just go to the IOS development portal and just download one, no muss no fuss. But now they want me to create a CSR to create a provisioning profile and I don't know how. I've been derping around in Keychain Access and the online documents for the better part of two hours and I'm still completely lost.
I'm not even sure why I need one now when I didn't before. I had a provisioning profile before I recently switched from Snow Leopard to Mountain Lion, but now it won't take it. Yes, I'm still on the same computer.

Since you installed a new OS you probably don't have any more of your private and public keys that you used to sign your app in to XCode before. You need to regenerate those keys on your machine by revoking your previous certificate and asking for a new one on the iOS development portal. As part of the process you will be asked to generate a Certificate Signing Request which is where you seem to have a problem.
You will find all you need there which consists of (from the official doc):
1.Open Keychain Access on your Mac (located in Applications/Utilities).
2.Open Preferences and click Certificates. Make sure both Online Certificate Status Protocol and Certificate Revocation List are set to
Off.
3.Choose Keychain Access > Certificate Assistant > Request a Certificate From a Certificate Authority.
Note: If you have a private key selected when you do this, the CSR
won’t be accepted. Make sure no private key is selected. Enter your
user email address and common name. Use the same address and name as
you used to register in the iOS Developer Program. No CA Email Address
is required.
4.Select the options “Saved to disk” and “Let me specify key pair
information” and click Continue.
5.Specify a filename and click Save. (make sure to replace .certSigningRequest with .csr)
For the Key Size choose 2048 bits and for Algorithm choose RSA. Click
Continue and the Certificate Assistant creates a CSR and saves the
file to your specified location.

Follow these steps to create CSR (Code Signing Identity):
On your Mac, go to the folder 'Applications' ► 'Utilities' and open 'Keychain Access.'
Go to 'Keychain Access' ► Certificate Assistant ► Request a Certificate from a Certificate Authority.

Fill out the information in the Certificate Information window as specified below and click "Continue."
• In the User Email Address field, enter the email address to identify with this certificate
• In the Common Name field, enter your name
• In the Request group, click the "Saved to disk" option

Save the file to your hard drive.
Use this CSR (.certSigningRequest) file to create project/application certificates and profiles, in Apple developer account.

To manually generate a Certificate, you need a Certificate Signing Request (CSR) file from your Mac. To create a CSR file, follow the instructions below to create one using Keychain Access.
Create a CSR file.
In the Applications folder on your Mac, open the Utilities folder and launch Keychain Access.
Within the Keychain Access drop down menu, select Keychain Access > Certificate Assistant > Request a Certificate from a Certificate Authority.
In the Certificate Information window, enter the following information:
In the User Email Address field, enter your email address.
In the Common Name field, create a name for your private key (e.g., John Doe Dev Key).
The CA Email Address field should be left empty.
In the "Request is" group, select the "Saved to disk" option.
Click Continue within Keychain Access to complete the CSR generating process.

Generate Certificate Signing Request(CSR) on Mac
Certificate Signing Request(CSR)(.crs, .certSigningRequest) - a block of encoded text which is forwarded to a Certificate Authority(CA) when you apply for a certificate.
It contains:
Data
Version
Subject
emailAddress
Common Name (CN)
Country (C)
...
Subject Public Key Info
Public Key Algorithm //rsaEncryption(RSA), id-ecPublicKey(ECC)
//if rsaEncryption
RSA Public-Key //length
Modulus
Exponent
//if id-ecPublicKey
Public-Key
pub
ASN1 OID
NIST CURVE
Attributes
Signature Algorithm //Algorithm: sha256WithRSAEncryption, ecdsa-with-SHA256, and sign
Generate private/public key pair and CSR
Keychain Access -> Certificate Assistance -> Request a Certificate From a Certificate Authority...
Fill fields:
User Email Address - email
Common Name is a name of private/public keys which you will find in Keychain Access after generation
Saved to disk save .certSigningRequest file locally
Let me specify key pair information where you have to specify algorithm and key size of key pair manually(RSA by default)
After that set a location where .certSigningRequest will be saved
Review CSR
you can open CSR in text editor
-----BEGIN CERTIFICATE REQUEST-----
MIICgjCCAWoCAQAwPTEcMBoGCSqGSIb3DQEJARYNZm9vQGdtYWlsLmNvbTEQMA4G
A1UEAwwHZm9vLmNvbTELMAkGA1UEBhMCVUEwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQDdvrCxPATE2XiByL8NUixnw8QVVJ1AlWk9NdfdiTcDLdyJkexy
sx1jzQl5fBL+kyvv4wTrS4iez1wFoEwYNkYCkuBoph9g32WhCqDVHdWe0XR94oR4
1gGDUJnqPetBf+lZcCIzU3Hr2uV4zS1owxC9+ua/k7xFMA8kl0l5yS8Y6ogXa8gM
oRDyhlYnX8Rl1TZ26ASMBdcvoLhIf8kUUyhwojyIvOrCAm9kKMG+rbbyu6P9hzfK
rJt+KN8v3jaJW7RDk3MtNiFZmBrFg+56dDBcLg0lqCCgHZWlHRTYdyF9AuZSJrFm
geBZ/I77lln2C/vvrbqb2syPhrh+M0L88Q+NAgMBAAGgADANBgkqhkiG9w0BAQsF
AAOCAQEAtcoAEJL0jjEYcNax92KgG4jKIEkH9E2mcZGhG9WTg7oF+sTLzAmOYwOI
moLb+rYMCSHbm8SjvY8Ci20iIQXmwnfb5JfEB5cNW/p+C9BGl7tEdvWqFlfzC4xp
5VmUJXufXSuAHVjq2HMDLgR7XFbcySKiv1h/K5QmVe6e7oDTX0L7+vNKRYNJarGc
hlekEx7cmSLp4hDRupTTm4vqhb5Gy0PQBYTPfs+kU7UyxJpsxPxgoQdY4v0JfoMA
MwZe+u6eh3Ir/Z5OMO5uydB1tUttQJ77Wea9PDx24trUXyTL6Ukxdoc3wFnipbo/
aJo9cDZxx6rBmzogY8oGaLUeEoZn/g==
-----END CERTIFICATE REQUEST-----
you can decode CSR using:
openssl req -text -in "<path_to_csr>"
Certificate Request:
Data:
Version: 0 (0x0)
Subject: emailAddress=foo#gmail.com, CN=foo.com, C=UA
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:dd:be:b0:b1:3c:04:c4:d9:78:81:c8:bf:0d:52:
2c:67:c3:c4:15:54:9d:40:95:69:3d:35:d7:dd:89:
37:03:2d:dc:89:91:ec:72:b3:1d:63:cd:09:79:7c:
12:fe:93:2b:ef:e3:04:eb:4b:88:9e:cf:5c:05:a0:
4c:18:36:46:02:92:e0:68:a6:1f:60:df:65:a1:0a:
a0:d5:1d:d5:9e:d1:74:7d:e2:84:78:d6:01:83:50:
99:ea:3d:eb:41:7f:e9:59:70:22:33:53:71:eb:da:
e5:78:cd:2d:68:c3:10:bd:fa:e6:bf:93:bc:45:30:
0f:24:97:49:79:c9:2f:18:ea:88:17:6b:c8:0c:a1:
10:f2:86:56:27:5f:c4:65:d5:36:76:e8:04:8c:05:
d7:2f:a0:b8:48:7f:c9:14:53:28:70:a2:3c:88:bc:
ea:c2:02:6f:64:28:c1:be:ad:b6:f2:bb:a3:fd:87:
37:ca:ac:9b:7e:28:df:2f:de:36:89:5b:b4:43:93:
73:2d:36:21:59:98:1a:c5:83:ee:7a:74:30:5c:2e:
0d:25:a8:20:a0:1d:95:a5:1d:14:d8:77:21:7d:02:
e6:52:26:b1:66:81:e0:59:fc:8e:fb:96:59:f6:0b:
fb:ef:ad:ba:9b:da:cc:8f:86:b8:7e:33:42:fc:f1:
0f:8d
Exponent: 65537 (0x10001)
Attributes:
a0:00
Signature Algorithm: sha256WithRSAEncryption
b5:ca:00:10:92:f4:8e:31:18:70:d6:b1:f7:62:a0:1b:88:ca:
20:49:07:f4:4d:a6:71:91:a1:1b:d5:93:83:ba:05:fa:c4:cb:
cc:09:8e:63:03:88:9a:82:db:fa:b6:0c:09:21:db:9b:c4:a3:
bd:8f:02:8b:6d:22:21:05:e6:c2:77:db:e4:97:c4:07:97:0d:
5b:fa:7e:0b:d0:46:97:bb:44:76:f5:aa:16:57:f3:0b:8c:69:
e5:59:94:25:7b:9f:5d:2b:80:1d:58:ea:d8:73:03:2e:04:7b:
5c:56:dc:c9:22:a2:bf:58:7f:2b:94:26:55:ee:9e:ee:80:d3:
5f:42:fb:fa:f3:4a:45:83:49:6a:b1:9c:86:57:a4:13:1e:dc:
99:22:e9:e2:10:d1:ba:94:d3:9b:8b:ea:85:be:46:cb:43:d0:
05:84:cf:7e:cf:a4:53:b5:32:c4:9a:6c:c4:fc:60:a1:07:58:
e2:fd:09:7e:83:00:33:06:5e:fa:ee:9e:87:72:2b:fd:9e:4e:
30:ee:6e:c9:d0:75:b5:4b:6d:40:9e:fb:59:e6:bd:3c:3c:76:
e2:da:d4:5f:24:cb:e9:49:31:76:87:37:c0:59:e2:a5:ba:3f:
68:9a:3d:70:36:71:c7:aa:c1:9b:3a:20:63:ca:06:68:b5:1e:
12:86:67:fe
print public key in CSR
openssl req -noout -pubkey -in "<path_to_csr>"
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3b6wsTwExNl4gci/DVIs
Z8PEFVSdQJVpPTXX3Yk3Ay3ciZHscrMdY80JeXwS/pMr7+ME60uIns9cBaBMGDZG
ApLgaKYfYN9loQqg1R3VntF0feKEeNYBg1CZ6j3rQX/pWXAiM1Nx69rleM0taMMQ
vfrmv5O8RTAPJJdJeckvGOqIF2vIDKEQ8oZWJ1/EZdU2dugEjAXXL6C4SH/JFFMo
cKI8iLzqwgJvZCjBvq228ruj/Yc3yqybfijfL942iVu0Q5NzLTYhWZgaxYPuenQw
XC4NJaggoB2VpR0U2HchfQLmUiaxZoHgWfyO+5ZZ9gv77626m9rMj4a4fjNC/PEP
jQIDAQAB
-----END PUBLIC KEY-----
Verify CSR
openssl req -text -noout -verify -in "<path_to_csr>"
verify OK
Certificate Request:
...
Review private/public key pair
After creating Request a Certificate From a Certificate Authority you can find private/public key pair in Keychain Access. You are able to export it and review. For example public key will be exported as a .pem certificate which you can read by text editor