Closely related to How to generate CSR when IIS is not installed.
I also do not have this installed. I am developing a mobile application for iOS, and i am trying to obtain a provisioning file so i can test my app locally. In the process of acquiring this, i am asked for a .csr file, and it instructs me on how to build this on my Mac. Except i don't have a mac, i have a PC, and my company exclusively uses PCs. I need this certificate, without having access to a Mac.
i have seen and used this CSR generator, but it gives me the key and request in long strings of characters, and i need a .csr file to upload to Apple.
Pasting it in notepad and changing the extension to .csr didn't work either :/
Does anyone have any insights on this?
You can install OpenSSL for windows and generate CSR file with this command:
openssl req -nodes -newkey rsa:2048 -keyout private_key.key -out cer_sign_request.csr
You'll be asked for a few questions which are optional (press ENTER).
This will generate a private key (such in keychain access) and a certification signing request as csr file.
For those who want an easy to use graphical interface, Digicert has a "Digicert Utility" that is pretty solid. You can use it to create a CSR. It doesnt give you back a private key, so you need to import your self signed or CA certificate to complete the installation of the certificate. Once installed, you can export it as a pfx or crt/key bundle.
set OPENSSL_CONF=c:\OpenSSL\openssl.cnf
if saved in c:\openssl
You can download this example fileopenssl-dem-server-cert-thvs.cnf
rename openssl
ren cert-thvs.cnf openssl.cnf
Related
I'm using mitm on ios to test some app, but since yesterday I can't log in any website, or even use google.
It seems that the certificate has expired on the 28/06.
I've tried to download a new one on mitm.it, but it's already expired.
Do someone have any idea how i can bypass that ?
You can force mitmproxy to generate a totally new root CA certificate by simply deleting the old one.
Mitmproxy stores the root CA certificate and it's key in the directory ~/.mitmproxy (mitmproxy config directory in your home directory on the computer running mitmproxy).
If you rename or delete that directory and restart mitmproxy a new root-CA certificate will be generated.
Then you can install this new certificate as usual via http://mitm.it
According to the documentation of the InstallAppleCertificate task, there is a certSecureFile parameter that looks for the certificate in the "Secure Files":
https://learn.microsoft.com/en-us/azure/devops/pipelines/tasks/utility/install-apple-certificate?view=azure-devops
However in my organization I don't have the permission to upload secure files:
Any other way to select a certificate that isn't uploaded to "Secure Files" for this task?
They did gave me a separate keyvault which I can perfectly link to the pipeline build and get files/secrets from in bash scripts. Yet this InstallAppleCertificate task doesn't allow me to use those instead. I wouldn't even mind to put the certificate in my source repo (I know I shouldn't do this).
The certSecureFile field in InstallAppleCertificate task needs to use the .p12 file in secure file.
I am afraid that files that are not in the secure file cannot be used.
Based on my test, when I use the file from local machine, it will show the following error:
This means that before running the build, it will retrieve the files in the secure file. And the file needs to exist in secure file.
Since you could get the files/secrets , you could try to install the Apple Certificate(.p12 file) via script.
security import ./xxx.p12 -P secretPassword
Here is a thread about install .p12 or .cer in console macos.
I do develop delphi programs that people do download.
Problem is when downloading them, they receieve an alert
"The publisher cannot be verified."
How can I add my publisher name into my delphi programs ?
You need a code-signing certificate, and need to digitally sign your executable using that certificate.
Search for [windows] code signing here at StackOverflow. There are tons of questions here on the topic; any and all of them (regardless of language used) for Windows applications apply to Delphi as well. Here is a start for you., and here's another one with links to resources. (Both links are here at StackOverflow, and not external sites.)
This is how I created a test certificate for my setup executable (produced by Inno Setup).
I used:
makecert -r -pe -ss MyCertStore -n "CN=MyTestCert" MyTestCert.cer
signtool sign /s MyCertStore /n MyTestCert MyApplication.exe
I could find these tools under:
"c:\Program Files (x86)\Microsoft SDKs\Windows\v7.1A\Bin\"
Dont forget to install MyTestCert.cer under trusted providers, otherwise the MyApplication.exe will still show unknown publisher. Check with certmgr.exe which I could find in the same folder.
Worked for me on Win7x64.
For final signing you need a commercial code signing certificate, the cheapest I could find was from Comodo (about $70 a year).
In my app I'm using https and a self-signed SSL certificate to secure the connection between my client and the server.
I was trying to have the AFNetworking library do SSL Pinning on a copy of my certificate bundled in the app.
In the AFURLConnectionOperation header I defined both:
#define _AFNETWORKING_ALLOW_INVALID_SSL_CERTIFICATES_ =1
#define _AFNETWORKING_PIN_SSL_CERTIFICATES_ =1
And before calling the start on my AFJSONRequestOperation I set the SSLPinningMode property to AFSSLPinningModeCertificate.
But when trying to perform a JSON request I keep getting the following error:
Error Domain=NSURLErrorDomain Code=-1012 "The operation couldn’t be completed.
(NSURLErrorDomain error -1012.)" UserInfo=0x758f120
{NSErrorFailingURLKey=https://mydomain.com,
NSErrorFailingURLStringKey=https://mydomain.com}
In the AFURLConnectionOperation header I read that the SSL Pinning works with .cer certificates but in my self-hosted OS X webserver I have a .crt certificate.
Is this the problem? Is there a way to make AFNetworking work with .crt?
On a windows box I converted my .crt to .cer and tried to bundle that into my app but I still get the same error. Should I try to switch the .crt file with the newly created .cer even on the server side?
I got it working.
I was in the situation where I had created a self-signed cert for to hit my own server API from my iOS App.
I created my cert with OpenSSL. When I was done creating it, I had several files, one of which was "server.crt". Initially, I tried just renaming it to "server.cer", and using "AFSSLPinningModeCertificate" for my AFURLConnectionOperation objects. That did not work, and I noticed the example uses "AFSSLPinningModePublicKey", so I tried that, still no luck.
So I compared my file (that was the renamed ".crt" file) to his.
I noticed that "server.crt" was base64-encoded, and like this:
-----BEGIN CERTIFICATE-----
394230AFDFD...
-----END CERTIFICATE-----
I noticed from Mattt's example in AFNetworking that the "adn.cer" file he uses is not base64-encoded. It is just raw bytes.
So, I did this:
$ base64 -D -i ./server.crt -o ./server.cer
I set my AFURLConnectionOperation to AFSSLPinningModePublicKey.
I put that back in the project and did a clean and build of my iOS project, and everything worked fine.
Hope this helps!!
Btw, you may notice that Xcode will display info for for your ".crt" or ".cer" key whether it is the base64 or the raw one, so don't let that confuse you. You should be able to see the certificate data in either case, it's just that AF will only accept the raw (non-base64) one.
UPDATE:
Anyone having trouble with base64, this what works for me on OS X using OpenSSL:
$ openssl base64 -d -in ./server.crt -out ./server.cer
If you're using AFNetworking 2.x, and you're using the correct .cer but still receiving error code -1012 on your calls, you should disable validatesCertificateChain:
AFSecurityPolicy *securityPolicy = [AFSecurityPolicy policyWithPinningMode:AFSSLPinningModePublicKey];
securityPolicy.validatesCertificateChain = NO;
or you can pass it all in the entire certificate chain in pinnedCertificates.
Your certificate must have the extension cer not crt and should be in .der format. Add output file to your Xcode project.
You can use following command:
openssl x509 -in your.crt -out certificate_cer.cer -outform der
I'm working on an MDM NodeJS server for iOS. On the Apple docs, the following ruby code is given :
p7sign = OpenSSL::PKCS7::PKCS7.new(req.body)
store = OpenSSL::X509::Store.new
p7sign.verify(nil, store, nil, OpenSSL::PKCS7::NOVERIFY)
signers = p7sign.signers
What would be the equivalent in NodeJS?
The idea is to access p7sign.data that contains an xml plist.
Is this possible using either crypto or an external node lib (ursa, etc)?
A good option would be to use child_process to invoke openssl directly. I do that to validate iOS .mobileprovision files.
$ openssl smime -verify -in FILE -inform der
The openssl command needs to be the apple-provided (not from ports or homebrew) so that it can find signing certificates and CA's in the keychain.
I haven't tried this myself, but the node-forge library contains an implementation of many cryptographic algorithms.
https://npmjs.org/package/node-forge#pkcs7