How can I create an Apple Push Certificate without Keychain?

Question

I don't have any OSX device available, but would like to enable sending push notifications to iOS devices (to an application a third party is going to implement). My plan is to use Parse as a push notification service and they only have instructions that use Keychain available.

I tried my luck but their web application always rejects my requests and all guides I could find online only reference the Keychain application.

The command I initially tried was:

openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key

Then I filled out all the fields I was prompted for. This is the result after uploading the CSR to the Apple Push Certificates Portal:

The "proper format" link points to the IT management page.

Answer 1

How can I create an Apple Push Certificate without Keychain?

It depends on what you want to use, but you have not specified what you want to use (other than not Keychain).

The instructions below will get you your CSR, but Apple will have to sign it and provide you with the certificate (if I am reading Programming Apple Push Notification Services correctly).

---

I tried my luck but their web application always rejects my requests and all guides I could find online only reference the Keychain application.

Forgive my ignorance... Do you have an iOS Developer account?

---

Here's what a Keychain-generated CSR looks like. Its from an old (or perhaps current) developer account (I changed the name and email address in the dump):

$ openssl req -text -in CertificateSigningRequest.certSigningRequest 
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: emailAddress=jdoe@example.com, CN=John Doe, C=US
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c4:c7:10:f4:62:74:f3:41:57:b6:1e:c7:23:51:
                    8d:bc:7c:6e:14:52:f3:c9:44:92:46:be:64:10:ec:
                    c8:cf:45:a6:7c:35:09:2d:b7:a0:f9:0b:9c:7a:cb:
                    f9:ba:49:de:cf:fa:0c:d5:5b:cc:cc:02:41:8c:d0:
                    e7:79:57:0a:46:b6:9c:99:b2:ae:3e:0e:a6:35:35:
                    f3:b8:7a:96:0c:25:eb:cf:7e:9a:d3:88:f1:49:ad:
                    80:3d:42:f2:6b:86:a3:1b:5e:34:fa:49:77:ea:f4:
                    e6:3c:af:c5:5d:32:ec:63:fe:c5:e9:ff:0f:f3:42:
                    f6:c0:d9:b5:90:27:ab:57:e2:2d:8b:23:ab:d3:90:
                    3e:40:74:fc:80:a3:ed:70:ec:e2:27:a3:64:fa:f8:
                    f7:28:b2:66:8e:ab:fa:aa:13:a2:53:ba:b4:7e:15:
                    61:a5:79:46:66:c8:d6:3e:0b:37:9a:a7:eb:53:91:
                    3b:fc:d8:52:14:51:99:8e:6e:c6:57:a0:95:d4:4f:
                    f7:1d:fc:66:b2:a2:f1:dd:ff:83:46:2b:09:3e:87:
                    d0:c2:d7:5e:27:0f:ff:78:9f:e8:6a:32:61:54:f0:
                    d1:e8:d1:5c:1c:b5:01:8e:2b:51:04:ac:4a:15:d3:
                    12:3f:71:fb:e3:8d:da:6d:2a:00:9d:06:bd:e8:3e:
                    5b:7d
                Exponent: 65537 (0x10001)
        Attributes:
            a0:00
    Signature Algorithm: sha1WithRSAEncryption
         3e:4e:ce:7a:db:16:23:93:60:02:4b:23:6d:a3:46:fb:62:01:
         18:9e:a6:ce:d7:6e:c9:14:16:47:e8:63:ca:5c:a0:f2:ca:b1:
         61:6d:72:38:ce:1b:17:ee:f8:51:f8:34:a1:53:25:2c:f1:a2:
         ed:44:0c:62:ca:d9:14:82:8b:24:5d:0e:ea:38:2d:01:09:65:
         d8:9e:41:ec:84:fe:ac:f3:cd:d7:df:06:a6:30:fe:12:d8:c6:
         e5:ed:b0:fc:f3:7a:6d:83:b4:d5:f2:77:4f:75:22:27:15:27:
         e1:00:ed:70:e5:e8:5d:2f:2a:18:ad:c0:fb:4e:f8:d5:6d:68:
         1b:0a:44:81:de:5c:1c:07:46:b8:e1:9c:64:c9:9a:14:55:90:
         00:c0:6b:90:ed:bb:c9:92:50:9c:c1:6f:f6:a0:bf:b4:25:b7:
         0c:e4:69:b5:30:29:29:f8:3c:a9:0b:b1:37:71:7c:53:d0:45:
         65:8a:24:34:6f:25:ab:ff:63:cb:8d:a7:62:f9:c8:58:a9:b4:
         f0:8a:c2:5e:fc:74:06:e2:d5:38:05:d5:4e:ef:67:42:f9:f8:
         7f:b5:6c:0e:07:31:15:c3:b5:a3:61:fb:be:7d:9c:3c:b0:b4:
         01:8c:33:e8:86:07:9e:9a:72:af:22:f3:ab:a0:33:1f:f6:5f:
         43:a1:35:8f
-----BEGIN CERTIFICATE REQUEST-----
MIICjjCCAXYCAQAwSTEhMB8GCSqGSIb3DQEJARYSbm9sb2FkZXJAZ21haWwuY29t
MRcwFQYDVQQDDA5KZWZmcmV5IFdhbHRvbjELMAkGA1UEBhMCVVMwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDExxD0YnTzQVe2HscjUY28fG4UUvPJRJJG
vmQQ7MjPRaZ8NQktt6D5C5x6y/m6Sd7P+gzVW8zMAkGM0Od5VwpGtpyZsq4+DqY1
NfO4epYMJevPfprTiPFJrYA9QvJrhqMbXjT6SXfq9OY8r8VdMuxj/sXp/w/zQvbA
2bWQJ6tX4i2LI6vTkD5AdPyAo+1w7OIno2T6+PcosmaOq/qqE6JTurR+FWGleUZm
yNY+Czeap+tTkTv82FIUUZmObsZXoJXUT/cd/GayovHd/4NGKwk+h9DC114nD/94
n+hqMmFU8NHo0VwctQGOK1EErEoV0xI/cfvjjdptKgCdBr3oPlt9AgMBAAGgADAN
BgkqhkiG9w0BAQUFAAOCAQEAPk7OetsWI5NgAksjbaNG+2IBGJ6mztduyRQWR+hj
ylyg8sqxYW1yOM4bF+74Ufg0oVMlLPGi7UQMYsrZFIKLJF0O6jgtAQll2J5B7IT+
rPPN198GpjD+EtjG5e2w/PN6bYO01fJ3T3UiJxUn4QDtcOXoXS8qGK3A+0741W1o
GwpEgd5cHAdGuOGcZMmaFFWQAMBrkO27yZJQnMFv9qC/tCW3DORptTApKfg8qQux
N3F8U9BFZYokNG8lq/9jy42nYvnIWKm08IrCXvx0BuLVOAXVTu9nQvn4f7VsDgcx
FcO1o2H7vn2cPLC0AYwz6IYHnppyryLzq6AzH/ZfQ6E1jw==
-----END CERTIFICATE REQUEST-----

And:

$ openssl asn1parse -inform PEM -in CertificateSigningRequest.certSigningRequest 
    0:d=0  hl=4 l= 654 cons: SEQUENCE          
    4:d=1  hl=4 l= 374 cons: SEQUENCE          
    8:d=2  hl=2 l=   1 prim: INTEGER           :00
   11:d=2  hl=2 l=  73 cons: SEQUENCE          
   13:d=3  hl=2 l=  33 cons: SET               
   15:d=4  hl=2 l=  31 cons: SEQUENCE          
   17:d=5  hl=2 l=   9 prim: OBJECT            :emailAddress
   28:d=5  hl=2 l=  18 prim: IA5STRING         :jdoe@example.com
   48:d=3  hl=2 l=  23 cons: SET               
   50:d=4  hl=2 l=  21 cons: SEQUENCE          
   52:d=5  hl=2 l=   3 prim: OBJECT            :commonName
   57:d=5  hl=2 l=  14 prim: UTF8STRING        :John Doe
   73:d=3  hl=2 l=  11 cons: SET               
   75:d=4  hl=2 l=   9 cons: SEQUENCE          
   77:d=5  hl=2 l=   3 prim: OBJECT            :countryName
   82:d=5  hl=2 l=   2 prim: PRINTABLESTRING   :US
   86:d=2  hl=4 l= 290 cons: SEQUENCE          
   90:d=3  hl=2 l=  13 cons: SEQUENCE          
   92:d=4  hl=2 l=   9 prim: OBJECT            :rsaEncryption
  103:d=4  hl=2 l=   0 prim: NULL              
  105:d=3  hl=4 l= 271 prim: BIT STRING        
  380:d=2  hl=2 l=   0 cons: cont [ 0 ]        
  382:d=1  hl=2 l=  13 cons: SEQUENCE          
  384:d=2  hl=2 l=   9 prim: OBJECT            :sha1WithRSAEncryption
  395:d=2  hl=2 l=   0 prim: NULL              
  397:d=1  hl=4 l= 257 prim: BIT STRING   

So the trick is probably to build the Subject correctly, and omit the additional fields often found in a CSR. That is, the Subject DN should be similar to emailAddress=jdoe@example.com, CN=John Doe, C=US as above.

You can do that with openssl req and the -subj argument. The man page is req(1), and its probably easiest to understand the -subj switch with an example (shown below).

---

The following appears to generate an equivalent CSR.

$ openssl req -out ./test.csr -new -newkey rsa:2048 -sha1 -nodes -keyout ./test.key -subj "/emailAddress=jdoe@example.com/CN=John Doe/C=US"
Generating a 2048 bit RSA private key
...............+++
...+++
writing new private key to './test.key'

And here's the dump:

$ openssl req -text -in test.csr 
Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: emailAddress=jdoe@example.com, CN=John Doe, C=US
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:aa:f8:4e:3a:0b:51:dd:3e:cd:ba:f4:be:e9:3a:
                    84:88:b4:ec:11:97:c1:0f:f5:96:49:77:5c:8f:39:
                    81:09:69:29:cd:bc:8e:cd:79:2a:58:bd:d5:f8:10:
                    41:dc:e3:a7:b7:78:a8:cb:1e:d3:8b:0b:4e:e7:26:
                    5b:7d:1d:ee:fc:1d:60:9a:73:cf:6d:95:1a:9a:6f:
                    98:8a:4c:af:a3:3f:95:21:70:ee:7d:81:c6:d0:0c:
                    32:ee:46:cc:d5:02:83:58:82:04:f9:02:6e:56:68:
                    66:93:7c:d5:5f:91:2d:bb:af:e5:e8:71:d7:6e:53:
                    22:3d:66:c2:66:a8:c1:a2:62:4c:10:0d:e7:57:2e:
                    1f:20:f3:ed:15:b6:10:69:c9:61:39:4d:1c:56:a9:
                    b0:f5:ba:8e:48:fb:23:27:1a:e0:40:c2:be:74:80:
                    79:76:15:a4:6e:da:7d:76:4e:ec:88:fc:cd:5d:11:
                    f1:cc:68:5c:c8:2d:98:e8:a9:8d:8c:27:9b:b3:80:
                    87:36:53:d5:67:ab:f1:0a:07:a9:ab:96:c1:43:9f:
                    8d:4d:d6:b1:22:12:6c:43:58:ef:b5:89:3c:40:ea:
                    8c:81:24:68:88:7c:26:a5:2f:55:d3:86:69:ca:3f:
                    78:21:44:d4:6c:8b:66:de:35:0a:ce:6d:7b:a5:17:
                    28:f5
                Exponent: 65537 (0x10001)
        Attributes:
            a0:00
    Signature Algorithm: sha1WithRSAEncryption
         37:52:8c:a8:d4:b2:00:9e:e9:da:10:28:27:17:a3:68:46:1d:
         aa:b0:e9:bb:d8:5e:ae:ef:8f:a7:f4:6b:98:43:28:1f:9b:3b:
         e5:4d:7d:14:3c:bf:58:4f:1a:20:52:ae:90:77:bb:4b:92:a7:
         9c:54:b0:67:a6:75:9d:93:1c:aa:21:f9:8a:74:5d:f3:90:60:
         d4:de:12:03:9b:32:94:d8:49:5e:13:f3:5c:bc:0c:fc:ce:06:
         7e:2e:d8:06:94:af:d2:1d:ab:83:dc:59:3a:83:24:54:02:f9:
         e8:7d:e9:d8:1b:82:1a:99:75:26:70:6e:31:f2:ca:0d:12:f0:
         a2:23:7c:dc:b0:59:fc:80:d4:3f:1f:7a:2f:25:7b:16:9d:7e:
         c5:82:d2:1b:29:df:43:7f:81:4e:00:56:af:44:12:3a:0c:b4:
         8b:f9:ba:15:b9:bd:3a:3e:fa:6e:95:37:47:62:29:1f:c4:12:
         6d:cd:94:55:e7:6f:83:c1:37:8d:65:74:b1:dd:7f:9f:74:d4:
         aa:0e:ff:ed:c5:23:d6:83:e8:dc:d7:10:44:57:2b:4b:6f:ec:
         8d:75:da:e3:55:dd:62:e9:46:ed:f8:ae:5d:f4:19:a3:52:c2:
         cc:9d:9e:14:4b:b1:76:10:90:c1:4b:f6:ce:c0:92:b5:e6:a2:
         bc:d8:36:b9
-----BEGIN CERTIFICATE REQUEST-----
MIICjjCCAXYCAQAwSTEhMB8GCSqGSIb3DQEJARYSbm9sb2FkZXJAZ21haWwuY29t
MRcwFQYDVQQDDA5KZWZmcmV5IFdhbHRvbjELMAkGA1UEBhMCVVMwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCq+E46C1HdPs269L7pOoSItOwRl8EP9ZZJ
d1yPOYEJaSnNvI7NeSpYvdX4EEHc46e3eKjLHtOLC07nJlt9He78HWCac89tlRqa
b5iKTK+jP5UhcO59gcbQDDLuRszVAoNYggT5Am5WaGaTfNVfkS27r+XocdduUyI9
ZsJmqMGiYkwQDedXLh8g8+0VthBpyWE5TRxWqbD1uo5I+yMnGuBAwr50gHl2FaRu
2n12TuyI/M1dEfHMaFzILZjoqY2MJ5uzgIc2U9Vnq/EKB6mrlsFDn41N1rEiEmxD
WO+1iTxA6oyBJGiIfCalL1XThmnKP3ghRNRsi2beNQrObXulFyj1AgMBAAGgADAN
BgkqhkiG9w0BAQUFAAOCAQEAN1KMqNSyAJ7p2hAoJxejaEYdqrDpu9heru+Pp/Rr
mEMoH5s75U19FDy/WE8aIFKukHe7S5KnnFSwZ6Z1nZMcqiH5inRd85Bg1N4SA5sy
lNhJXhPzXLwM/M4Gfi7YBpSv0h2rg9xZOoMkVAL56H3p2BuCGpl1JnBuMfLKDRLw
oiN83LBZ/IDUPx96LyV7Fp1+xYLSGynfQ3+BTgBWr0QSOgy0i/m6Fbm9Oj76bpU3
R2IpH8QSbc2UVedvg8E3jWV0sd1/n3TUqg7/7cUj1oPo3NcQRFcrS2/sjXXa41Xd
YulG7fiuXfQZo1LCzJ2eFEuxdhCQwUv2zsCSteaivNg2uQ==
-----END CERTIFICATE REQUEST-----

Answer 2

Since the 3rd party is going to implement the iOS app, they should have an iOS developer account and Mac, so it should be very easy for them to create this certificate as part of setting up the iOS app (which they will need to do anyway).

Answer 3

After having trouble with KeyChain yet again, I finally took the time to try this again.

@jww's approach seems fine to me, no idea why it didn't work, but this is what we're using now and it's working well:

# Generate a private key
openssl genrsa -out aps-production.key 2048
# Generate a signing request
openssl req -new -sha1 -key aps-production.key -subj '/emailAddress=my@email.address CN=My Certificate Name C=DE' -out aps-production.csr

Make sure to use the correct C=XX country code in the subject.

Also, note that on MinGW/MYSYS (used with Git Bash on Windows), you'll have to escape the subject differently.