22

I have a shed load of 'aps_developer_identity.cer' certificates exported from iPhone Developer portal. They were all created using the same Certificate Signing Request and (thus) the same private key. If I export just the private key from the Apple Key Chain is it then possible to take the private key and the 'aps_developer_identity.cer' and use openssl to create merged p12/pkcs#12 certificate that I can use on my (Windows) server.

Just to be clear, I know how to get a merged p12 from the Key Chain by exporting both the private key and certificate together, but I want to remove all the extra mouse clicking and typing if I can.

Kara
  • 6,115
  • 16
  • 50
  • 57
withakay
  • 983
  • 1
  • 8
  • 14
  • 1
    "They were all created using the same Certificate Signing Request" - Why? In that case they would all be named the same common-name, what is the purpose of this? – NoBugs Feb 02 '15 at 19:06

3 Answers3

42

I managed to work this out, it just needs wrapping up in a shell script and it is good to go. I am assuming you have downloaded and renamed your 'apple_developer_identity.cer' certificate, here I use 'test.cer', and that you have also exported your developer key from your keychain, in the example below named 'private_dev_key.p12'.

#convert *.cer (der format) to pem
openssl x509 -in test.cer -inform DER -out test.pem -outform PEM

#convert p12 private key to pem (requires the input of a minimum 4 char password)
openssl pkcs12 -nocerts -out private_dev_key.pem -in private_dev_key.p12

# if you want remove password from the private key
openssl rsa -out private_key_noenc.pem -in private_key.pem

#take the certificate and the key (with or without password) and create a PKCS#12 format file
openssl pkcs12 -export -in test.pem -inkey private_key_noenc.pem -certfile _CertificateSigningRequest.certSigningRequest  -name "test" -out test.p12

NOTE: If you think this all a bit long winded to achieve what can be done with a few mouse clicks and the typing of the name of a file, then consider the case where you have 20 Apps that you want to enable for notifications. Each App has a development and production certificate, which expire in 4 and 12 months respectively. That is a very boring and error prone job...

James Ward
  • 29,283
  • 9
  • 49
  • 85
withakay
  • 983
  • 1
  • 8
  • 14
  • where does the "_CertificateSigningRequest.certSigningRequest" come from? I remember having this file once in the very beginning when creating a dev cert O_o – Marc Seeger Jan 06 '11 at 18:55
  • There are detailed instructions of how to create the CSR here: http://jainmarket.blogspot.com/2009/11/generate-apple-push-notification.html I added the underscore to mine because I keep in the same folder as all my other certs and that way it is the first in the list... – withakay Jan 28 '11 at 02:30
  • 4
    The _CertificateSigningRequest.certSigningRequest issue is absolutely unclear and needs to be explained. The link doesn't elaborate on this. I know how to produce one with keychain but am constantly getting the error "No certificate matches private key" when I use it in the above script... why? exactly what certSigningRequest is being referred to in the above? – Zigglzworth Jul 23 '12 at 10:34
  • Thanks for posting this. Hugely helpful. – Jason Dufair Sep 14 '12 at 01:18
4

Awesome work here. Thanks for the real help guys. I have dropped in my shell script below that may help others. I have several of the keys to deal with and wanted a script as well. This script will output static names for the output files (though that would be simple to change).

I hope it helps someone else.

example usage (assuming script name):

$ . thisScript request_file.cer priv_key.p12 aps_dev.cer

The script:

if [ $# -ne 3 ]
then
echo "Error in $0 - Invalid Argument Count"
echo "Syntax: $0 request_cer_file p12_file app_cer_file output_filename"
echo "  - request_cer_file      is the request file you sent to apple"
echo "  - p12_file          is found in your keychain (it's the private key)"
echo "  - app_cer_file          is found on App ID screen from Apple"
else

reqFile=$1
p12File=$2
cerFile=$3

certPEM='apn_cert.pem'
pKeyPEM='apn_pkey.pem'
pKeyNoEncPEM='apn_pkey_noenc.pem'
p12FileOut='apn_cert_key.p12'

# remove old
rm $certPEM
rm $pKeyPEM
rm $pKeyNoEncPEM
rm $p12FileOut

#convert *.cer (der format) to pem
openssl x509 -in $cerFile -inform DER -out $certPEM -outform PEM

#convert p12 private key to pem (requires the input of a minimum 4 char password)
openssl pkcs12 -nocerts -out $pKeyPEM -in $p12File

# if you want remove password from the private key
openssl rsa -out $pKeyNoEncPEM -in $pKeyPEM

#take the certificate and the key (with or without password) and create a PKCS#12 format file
openssl pkcs12 -export -in $certPEM -inkey $pKeyNoEncPEM -certfile $reqFile  -name "apn_identity" -out $p12FileOut

#
#   
#   If all things worked then the following should work as a test
#   openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert apn_cert.pem -key apn_pkey_noenc.pem 
#
#
echo "Looks like everything was successful"
echo "Test command:"
echo "openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert apn_cert.pem -key apn_pkey_noenc.pem"
echo
fi
bladnman
  • 2,591
  • 1
  • 25
  • 20
-4

You can make p12/pkcs#12 certificate directly in keychain. No need of executing any command.

1.double click on your developer/production cert file downloaded from apple dev site.(It'll be added in keychain)

2.I assume you have .p12 file which you got from exporting private key

3.go to My Certificates tab under keychain.

just click on your dev/prod certificate for APN.it should show private key associated with it

4.Right click and Export certificate in .p12 format

thats final .p12 file !!

virata
  • 1,882
  • 15
  • 22
  • 1
    I don't think you read the question before posting this answer. OP clearly states that they do NOT want to use Keychain. – Jonathan Oct 29 '14 at 04:34