25

For aesthetic reasons, I would like to use the same private key that I used to create my distribution certificate a while ago, to create a new development certificate (my old one expired). But the "How to create a development certificate:" on the iOS provisioning portal require that you use Keychain Access create a new key. When I try to do Keychain Access > Certificate Assistant > Request a Certificate From a Certificate Authority With "(my key name)" the Certificate Assistant doesn't actually create a CSR file.

Does anyone know if this can be done, and if so, how?

Simon Woodside
  • 7,175
  • 5
  • 50
  • 66

4 Answers4

54

First, I had to export my private key from the keychain as a p12 file. I tried scripting this, but was unsuccessful.

  1. Open keychain and select your private key
  2. Right-click and select "Export "
  3. Use a p12 file type.

Run the following openssl command to convert your password-protected p12 file to a pem. openssl will prompt for a password.

openssl pkcs12 -in your-newly-exported-p12-file.p12 -out your-newly-exported-p12-file-as-a-pem.pem -nodes

Run the following command on your pem file to generate the csr.

openssl req -new -key your-newly-exported-p12-file-as-a-pem.pem -out your-csr-to-submit-to-apple.csr
Heath Borders
  • 30,998
  • 16
  • 147
  • 256
  • 1
    Works great. Openssl will ask you for a bunch of meta data. I supplied my email but nothing else. Also, provisioning profiles still show "expired" after generating the new cert. To renew them, click "Modify", drop down the "App ID" box and select the same thing already selected (nice design Apple), and click "Save". – DougW Feb 10 '12 at 19:40
  • Thanks... I was trying to get Push Notifications working on iPhone app, and once I created the Certificate in the Provisioning Profile and downloaded it, I added it to Keychain Access. I then select BOTH the Certificate I just added AND the private key used to create the certificates CSR, and then right-click and click Export 2-Items as p12. I then used the "openssl pkcs12" line above to convert from p12 to pem that can be used for sending push notifications. – jsherk May 05 '12 at 15:39
  • thanks man, thank you very much really you save my time :) Thumbs up – Waqas Haider Sheikh Nov 07 '14 at 19:40
4

To generate a CSR from an existing Private Key in Keychain Access, just right-click (two-finger click) on the Private Key you want to use and choose REQUEST A CERTIFICATE FROM A CERTIFICATE AUTHORITY WITH "(My Key Name)"

Then enter the User Email Address and CA Email Address (I just use the same email address for both) and then choose Saved To Disk.

jsherk
  • 6,128
  • 8
  • 51
  • 83
2

Are you comfortable with OpenSSL and the command-line? There's a discussion on a mailing list about creating the CSR manually. FWIW, I wasn't able to create a CSR using a selected key in Keychain Access/Certificate Assistant either.

gnuf
  • 2,722
  • 1
  • 25
  • 32
0

I went through this hell today. I wanted to automate the export of a key to create the CSR via commandline. I found a tool written in c that promised what I wanted: keychain_access. I compiled and played around with it but wasn't able to export my distribution key. I created the tool again from scratch with the newest apple security API's and keychain item attribute printing, but still wasn't able to find the key by label. I was able to list it with no label search. In an desperate attempt I renamed to key in the keychain access tool and renamed it back to the old name. After that my tool finally picket up the key by label. And also the right click REQUEST A CERTIFICATE FROM A CERTIFICATE AUTHORITY WITH "(My Key Name)" started to work again as well. It seems that the name was saved in a different encoding or something. Not event apples own keychain access tool was able to find the key!

Larusso
  • 1,121
  • 8
  • 10