well i have tried the below
openssl x509 -req -in <cert_name>.csr -signkey <key_name>.key -out output.crt
but seems to throw an error
140735226307408:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: CERTIFICATE REQUEST
Any solutions?
The source of the problem is the form of your CSR : While working with X509, your data can be store using 2 forms : DER and PEM.
By default openssl assumes you are using PEM.
In your case, you should first convert the CSR in PEM format :
openssl req -inform DER -in <cert_name>.csr -out <cert_name>.pem
And then
openssl x509 -req -in <cert_name>.pem -signkey <key_name>.key -out output.crt
Related
I have the following files
server.csr
serverprivate.key
serverpublic.key
Provided by vendor: vendor.pem
I need to convert the certificate to a .p12 files and tried the following command via openssl
openssl pkcs12 -export -out esim.p12 -inkey private.key -in ca-preprod.crt
and i'm getting "NO CERTIFICATE MATCHES PRIVATE KEY"
How to generate a .p12 file using the files I have now?
Till date I used to follow below steps to create p12 file for push.
openssl x509 -in aps_development.cer -inform DER -out aps_development_identity.pem -outform PEM}
openssl pkcs12 -nocerts -out private_development_key.pem -in Certificates.p12
openssl rsa -out private_key_noenc.pem -in private_development_key.pem
openssl pkcs12 -export -in aps_development_identity.pem -inkey private_key_noenc.pem -certfile CertificateSigningRequest.certSigningRequest -name "aps_development_identity" -out aps_development_identity.p12
Note : I already have aps_development.cer, Certificates.p12, CertificateSigningRequest.certSigningRequest in my folder.
However today I got error on executing last statement in terminal.
After executing last sentence, I get error as below.
openssl pkcs12 -export -in aps_development_identity.pem -inkey private_key_noenc.pem -certfile CertificateSigningRequest.certSigningRequest -name "aps_development_identity" -out aps_development_identity.p12
unable to load certificates --> this is what I get in response
Till now I didn't get any error like this.
Any idea what I am missing.
I am tagging Swift as iOS developer might have faced this issue. So I just added Swift tag to bring them into this question.
I just figured that this is happening due to I update the Ruby for pods.
Any there anything updated in Ruby for this export?
Finally I found a solution.
openssl pkcs12 -export -in aps_development_identity.pem -inkey private_key_noenc.pem -name "aps_development_identity" -out aps_development_identity.p12
Just remove -certfile CertificateSigningRequest.certSigningRequest from last statement & you are done.
I got this error because there were spaces in my cer file that I coped and pasted from a website. When I retired with a file with no spaces it worked.
I want to create a MDM server to manage my iOS devices. I have enrolled in iOS Enterprise Developer program. And executed the following openSSL commands
"1. Creating Certificate Authority (CA)"
openssl req -new -x509 -extensions v3_ca -keyout cakey.key -out cacert.crt -days 365
"2. Creating the Web Server private key and certificate request"
openssl genrsa 2048 > server.key
openssl req -new -key server.key -out server.csr
"3. Signing the server key with the CA. You'll the CA passphrase from step 1."
openssl x509 -req -days 365 -in server.csr -CA cacert.crt -CAkey cakey.key -CAcreateserial -out server.crt -extfile ./server.cnf -extensions ssl_server
"4. Creating the device Identity key and certificate request"
openssl genrsa 2048 > identity.key
openssl req -new -key identity.key -out identity.csr
"5. Signing the identity key with the CA. You'll the CA passphrase from step 1."
openssl x509 -req -days 365 -in identity.csr -CA cacert.crt -CAkey cakey.key -CAcreateserial -out identity.crt
openssl pkcs12 -export -out identity.p12 -inkey identity.key -in identity.crt -certfile cacert.crt
"6. Generating keys and certs for plist generation"
openssl req -inform pem -outform der -in identity.csr -out customer.der
I uploaded the generated identity.csr and got an MDM certificate.
With customer.der, AppleWWDRCA.cer, AppleIncRootCertificate.cer, MDM.cer (obtained from iOS Enterprise Developer) and with Identity.p12 I created a Java code to generate encoded plist file. I used this file and got APNSPushCert. It worked fine.
Now the problem is that the IP address of the computer got changed and I don't want to create the new MDM Vendor certificate.
As I understand the only place I mention the IP is server.cnf. I changed the IP in server.cnf and executed all the commands except 4. I placed the identity.key and identity.csr in the same folder before executing. Now every thing works fine but when I upload the encoded plist file for getting APNSPushCert site says Certificate Signature Verification failed.
I really don't understand what went wrong.
This is something to do with the SSL certificate you are using. It always validates the common name in the device side. You have to use either you domain name or the ip address of your server under common name of SSL certificate. Make sure it doesnt change. If it changes binding it to a DNS will work.
I tried to copy the same .der (costomer.der) file too and recompiled the program again. Now it is working fine. Also, I used DNS resolvable name as URI. Now all these are working fine.
I am trying to convert an Apple Push Certificate (received in .pem format from https://identity.apple.com/pushcert/) to PKCS12 on a Windows machine. I have OpenSSL installed.
Here are the steps I am trying:
Generate CSR
openssl req -out d:\cert\request.csr -new -newkey rsa:2048 -nodes -keyout d:\cert\csrPrivateKey.pem
Upload signed CSR to Apple and download issued certificate (pushCert.pem)
Convert .pem certificate to pkcs12
openssl pkcs12 -export -in d:\cert\pushCert.pem -inkey d:\cert\csrPrivateKey.pem -out d:\cert\pushCert.p12 -name "apns-cert"
When I try this last step, I get an error "No certificate matches private key" and an empty file is created. If anyone has any suggestions it would be greatly appreciated.
Thanks!
I have one .key file from which I generated a .csr file that I used to purchase a GoDaddy code signing certificate. From GoDaddy I received one .spc file.
I exported the spc file to pem with the following command:
openssl pkcs7 -inform DER -in mycert.spc -print_certs -out certs.pem
I then opened the certs.pem file and copied the first two certificates to a file called cert-chain.crt and the last one (which is mine) to one called server.crt.
I tried to sign the file like with this command:
openssl smime -sign -in a.mobileconfig -out signed_a.mobileconfig -signer cert/server.crt -inkey cert/ios_apn.key -certfile cert/cert-chain.crt -outform der -nodetach
But what I got is:
unable to load certificate
11911:error:0906D06C:PEM routines:PEM_read_bio:no start line:/SourceCache/OpenSSL098/OpenSSL098-41/src/crypto/pem/pem_lib.c:648:Expecting: TRUSTED CERTIFICATE
What am I doing wrong? How should I normally sign the a.mobileconfig file with the provided SPC file?
Your certificate is in DER format, but openssl is assuming PEM format. You should add -inform der to the command:
openssl smime -sign -in a.mobileconfig -out signed_a.mobileconfig -signer cert/server.crt -inkey cert/ios_apn.key -certfile cert/cert-chain.crt -inform der -outform der -nodetach