Cannot convert apple developer_identity.cer into .p12 format. No certificate matches private key

Question

i have following problem:

i have these files

developer_identity.cer

Team_Provisioning_Profile_.mobileprovision

In order to package adobe flex mobile application for iOS, i need to convert my .cer certificate into .p12 format. Following this tutorial on help.adobe.com i always get this problem when executing last openssl command:

"no certificate matches private key
error in pkcs12"

From what i understand i need somehow to get private key, that was used to create the certificate (do i understand this well??). How do i get the private key mykey.key if i only have .cer and .mobileprovision files mentioned above?

Answer 1

OpenSSL says no certificate matches private key when the certificate is DER-encoded. Just change it to PEM encoding before creating the PKCS#12.

1. Create key pair : openssl genrsa -out aps_development.key 2048

2. Create CSR : openssl req -new -sha256 -key aps_development.key -out aps_development.csr

3. Upload the CSR to developer portal to get the certificate aps_development.cer

4. Convert the certificate: openssl x509 -inform DER -outform PEM -in aps_development.cer -out aps_development.pem

5. Build the PKCS#12: openssl pkcs12 -inkey aps_development.key -in aps_development.pem -export -out aps_development.p12

Answer 2

The .cer does not contain your private key and you cannot generate your .p12 file from it. You have to export them both at the same time from keychain. If you only have the .cer file, it's useless and you will have to create a new private key and certificate pair.

Answer 3

Not sure you can get your private key if you lost it.

The key is created when you request the certificate so you could request a new certificate and that should give you a private key.

Answer 4

You open the program Keychain Access found under Applications/Utilities. Under categories list to the right you select "My Certificates".

This gives you a list over all the certificates installed in your keychain. In case you are unfamiliar with what the keychain is. It is basically a secure database containing your login passwords, certificates, private keys etc.

When you download a certificate, you should double click it to import it into your keychain.

Then you can find your certificate in the list of "My Certificates". If you expand the certificate you are interested in finding the private key for, it should be shown right below the Certificate.

I bet you just followed a guide and did the steps and isn't totally sure exactly what you did. We all do right ;-)

How this works is that you initially create a public and private key together in the keychain access program. Generally in encryption, the way you use these is that you give your public key to somebody and then they can encrypt a message and send to you. Only the person with the private key that was made together with this public key can decrypt the message.

But anybody who gets your public key can't know for sure whether it is REALLY from you. This is where certificates come in. A third party like Apple trusted by most people will sign your public key, that creates a certificate. So what you probably did earlier was sending your public key to Apple which signed it and thus creating a certificate you could download.

Let me give you the short version:

1. Key Chain Access is used to create a public/private key
2. You create a certificate signing request with your public key. This is basically a file containing your public key asking Apple to create a certificate from this public key.
3. Apple adds a bunch of info about you and the purpose of the public key as well as adding the public key itself to a file which becomes the certificate. Then apple signs that.
4. You download the certificate.
5. Double click and import certificate to your keychain.