When you need to create a new certificate for APNS, the Provisioning Portal "wizard" always gives the steps to create a new CSR which means you need to create a new public/private key as well. These can start to get out of control, so is there a way to create a CSR (Code Signing Request) in Keychain Access from an existing Private Key instead of having to create a new one every time?
Thanks
Typically, you can do this by right-clicking an existing private key in Keychain Access and choosing Request a Certificate from a Certificate Authority With "Name Of Your Key".
Unfortunately, this will fail with "The specified item could not be found in Keychain" unless you also have the corresponding public key in your keychain. There's no technical reason for this—a Certificate Signing Request (CSR) can be generated from just a private key—but Keychain Access doesn't understand this.
You have two options.
Export the private key and generate the CSR manually
This is a quick option that will just generate a CSR that you can upload to Apple.
Choose the private key in Keychain Access, then click File - Export Items….
Save the file in .p12 format somewhere, but remember the path. These instructions assume it's in your home directory and called exported.p12. Leave the password blank.
Open Terminal and enter:
openssl req -new -key <(openssl pkcs12 -in ~/exported.p12 -nocerts -nodes -passin pass:"") > new.certSigningRequest
See [1] at the end of this post for details about what's going on.
Press Enter for each prompt (Apple doesn't care about these values). When you're finished, you'll have a .certSigningRequest suitable for upload to the Apple Developer Portal. When you download the associated certificate, it will pair up with the original private key.
Delete the exported.p12 file, as it contains private key material.
Recreate the public key so Keychain Access is happy
This option is a longer-term fix that'll let you generate CSRs from the original key straight from Keychain Access. These instructions assume you can't currently use Keychain Access to do so because you're missing the corresponding public version of your private key. You can check for this by going to the "Keys" category in Keychain Access and looking for a "private key" and "public key" with the same name.
Choose the private key in Keychain Access, then click File - Export Items….
Save the file in .p12 format somewhere, but remember the path. These instructions assume it's in your home directory and called exported.p12. Leave the password blank.
Open Terminal and enter:
openssl pkcs12 -in ~/exported.p12 -nocerts -nodes | openssl rsa -pubout > public.pem
See [2] at the end of this post for details about what's going on.
Import this public key into Keychain Access using the security tool:
security -v import public.pem -k ~/Library/Keychains/login.keychain
You should see "1 key imported."
Change ~/Library/Keychains/login.keychain if you want to import this to another keychain. (You can see where each keychain lives by going to Edit - Keychain List in Keychain Access).
Open Keychain Access and locate the public key called "Imported Public Key." Double-click it and change its name to be the same thing as your original private key.
Delete exported.p12 and public.pem.
You can now right-click the original private key and choose Request a Certificate from a Certificate Authority With "Name Of Your Key" to generate a CSR.
Explanations
[1] This command, broken down:
openssl req -new # Generate a new certificate signing request
-key # Instead of generating a key, use an existing one
<( # Put the output of the following command in a temporary file
# (a Bash feature, not specific to OpenSSL)
openssl pkcs12 -in ~/exported.p12 # Read keys from the specified PKCS12 file
-nocerts # Don't output the certificate contained in the file
-nodes # Output the private key from the file
-passin pass:"" # The password for the container is blank
)
> new.certSigningRequest # Write the generated CSR to a file
[2] Second command, broken down:
openssl pkcs12 -in ~/exported.p12 # Read keys from the specified PKCS12 file
-nocerts -nodes # Output only the private key, no certificates
| openssl rsa -pubout # Compute the public key from a private key
> public.pem # Write the public key to a file
When you go into Provisioning Profile to Enable/Configure Push Notifications, the first thing it asks for is a CSR (Code Signing Certificate).
You can generate this with an existing private key from Keychain Access instead of creating a new one.
Just open keychain access and then scroll thru and find a previous PRIVATE KEY (probably called YOUR NAME) and then right-click (two finger click) on it and choose Request A Certificate From A Certificate Authority With "bla bla bla".
I just enter the same email address in both User Email Address and CA Email Address, and choose Saved To Disk.
Then upload that to create your .cer files
Related
I'm having trouble understanding how to get/generate a private key for some certificates I requested.
I've created a CSR using the DigiCert Certificate Utility for Windows, which gave me a csr.txt file as an output but no .key file.
Then I proceeded to request the certificates by inserting the above mentioned CSR in the Certificate Management portal of my company.
Now I have received the p7b files and the related CSRs, but no private keys: is it possible to generate it now?
Thanks in advance,
Tommaso
Use the import function of the DigiCert Certificate Utility for Windows. The key is stored on software in the machine where the CSR was created. After the import the key and the certificate are associated and should be in the Windows certificate Store. If the key was generated with the exportable flag, you can export a PKCS#12 and convert that to a key file using openSSL.
I have just private key available in a plain text file. How to import that into keystore (via keytool or some other tool) without the certificate? Or, is there a way to generate a certificate file w.r.t the given private key file?
I am working on Box service account authentication. I need to store the private key (downloadable from box as a plain text file containing the key) into my keystore via command line utility.
I have tried just putting private key into keystore via keytool. It says "unable to load certificates". I tried to see if we can generate respective certificate from the private key file. No solution. I tried just putting in private key without certificate. Don't know how to do that.
No code required here. Just importing of private key plain file into keystore.
What is the utility of .p12 file/certificate? I am not getting any correct definition when searching the internet:
In one site I got "it stores server side certificates along with intermediate certificates and private key in one file. Its mostly used in Windows Machine"
In another site i got "it binds a organizations public key with its name.
My question is whether its public key or private key which is included in the .p12 certificate.
The .p12 contains both the private and the public key, and also information about the owner (name, email address, etc. ) all being certified by a third party. With such certificate, a user can identify himself and authenticate himself to any organization trusting the third party.
You should be able to see the content of the p12 file with
openssl pkcs12 -info -in filename.p12
provided openssl is installed in your system.
I'm trying to test push notifications for my app, but can't connect to the apple sandbox with my certificate and private key. I'm following this tutorial.
I set up a new certificate and app id per the tutorial, set up a private key, and generated the .pem files for the certificate and the private key:
openssl x509 -in aps_developer_identity.cer -inform der -out PushTestCert.pem
openssl pkcs12 -nocerts -out PushTestKey.pem -in PushTestKey.p12
For the private key, it asks me to enter the original password the key, as well as a new one. I used the same password.
Then I test the connection to apple and am prompted for my password, and I enter the new password for the key .pem file, which is the same as the old password:
openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert PushTestCert.pem -key PushTestKey.pem
Enter pass phrase for PushTestKey.pem:
error setting private key
59244:error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:/SourceCache/OpenSSL098/OpenSSL098-35.1/src/crypto/x509/x509_cmp.c:406:
Is there something I'm missing? On the iOS provisioning portal my app id says it is enabled for development (push). I've tried re-downloading the openssl certificate, no cigar.
Just to follow up, the reason this is probably happening is that you did not use the new public key to generate a push notification certificate for your app in developer.apple.com. So it can't match, because you private key does not match the public key used to generate the push notification cert
Is private key encryption a must? If not, try removing encryption, like so:
openssl rsa -in PushTestKey.pem -out PushTestKey.unencrypted.pem
I reset my login keychain and started from zero on the ios provisioning portal. I think I had an extra key somewhere that was interfering.
I'm trying to figure out how to install .csr certificate under Windows but probably the only way is to convert it to some other format (maybe with openssl) but I have no idea how.
Do you have any suggestion?
CSR file is the Certificate Signing Request. It contains the information which is needed to generate a certificate based on your private key and information about the WebSite.
CER is the certificate itself (which you install into your Web browser). There is basically no way to convert directly from one to another as you need a key to sign the certificate, but what can do is to generate a self-signed certificate (e.g. certificate signed by the same key which was used to generate it):
openssl x509 -req -in server.csr -signkey server.key -out server.crt