I'm creating a new CSR (Certificate Signing Request) using the Keychain Access tool:
Certificate Assistant -> Request a certificate from a certificate authority...
In the certificate information I fill in my email address and name,
selecting the "Save to disk" option.
I save the CSR to the desktop
The wizard completes successfully, but no file is saved to disk!
I've done this before, but this time it just isn't working. I tried restarting the
Keychain tool, restarting the computer, no luck.
Any ideas?
You have an existing private key selected in the main window of Keychain Access. That is also why it says "Request a certificate from a certificate authority using {some id}" in the menu. Deselect the private key by selecting something else, and then it will work. Apple if you're reading this, you need an error message at the end of the sequence described above.
I had the same problem. I noticed (after reading the first answer above), that I had the Keys category selected. I then selected the Certificates category, ensured I did not have any of the available Certificates selected, and I started my request and this time it worked like a charm.
Had the same problem. Here's the solution (for me at least).
You can have only one developer certificate installed on one machine - delete your old certificate from the keychain and you will be able to create the new one normally.
Related
FOR DEVELOPMENT: I configured my site to run without SSL for my development box and it all works great.
Now I am moving this to our dev testing server so I can test it there.
I first ran it as a non ssl intranet site to confirm configuration and etc....
It works perfectly.
Now I am in the process of creating a cert for the site and plan to use self signed certs for developer testing.
I have read many post ( google search ) on the topic related to the error I am getting.
Basically, I am 110% sure I am not creating this cert correctly for the site to which I need to bind it to.
The error:
The remote certificate is invalid according to the validation procedure.
So I am trying to understand what they mean by answers like this:
When working with self-signed certificates: add them to the trusted root authorities & use the hostname instead of localhost. ]
So if your computer name is "mypc", the uri should be "https://mypc/..." instead of "https://localhost/...".
This is what is confusing to me...
For example , if computer name is: svr-d-web-003
So the uri: https: //svr-d-web-003/?????
Looking at the advanced settings Bindings could I extrapolate the uri as: https: //svr-d-web-003/webhost.oauth.xyz.org ?? This seems wrong to me...
Site settings and etc....
Used these steps to create the cert:
1. C:> certlm.msc
2. Right-click on Certificates, then click All Tasks/Request New Certificate
Click Next, Next
Click on link as shown under the template you need.
Select Common Name from drop down
Enter the machine name dns name (example: svr-v-wus-001), then click Add button
Click OK,
In the Requests Certificates window check the box for xyz, click Enroll
Look in the certificates store and it’ll be there – you may need to click Refresh button
Follow up In IIS – you’ll bind the certificate there to your site. Remember the name needs to match the url. (This might be my issue here...)
See attachment...
I finally got it to work.
When creating the cert I had to match the name of the cert (common name) to the site.
For example: the site is https://identService.oauth.xyz.org so the cert name needed to be identService.oauth.xyz.org.
Then it all worked. I was confusing the site name with the machine name. Doh...
I am using Keychain Access on a Mac, trying to create a new certificate for iphone app signing. My existing cert is nearly expired. I keep getting the error "the specified keychain could not be found".
Here are my steps:
Open Keychain Access on Mac OS X 10.7.5.
Select Keychain Access > Certificate Assistant > Request a Certificate from a Certificate Authority.
User Email Address and Common Name are pre-populated. I leave them as-is. I change the radio button from "Emailed to the CA" to "Saved to disk".
Click Continue.
Whether I use the default filename or type a different name, I always get the same error.
What am I doing wrong?
I'm stuck with my app. I can't upload it to iTunes because, after the "Archive" step when I have to choose an application record and a Code Signing Identity it says:
"My Name" is a valid identity. However, the associated package identity "My Name" has expired.
Looking in the popup menu of Code Sign Identity I notice that the problem comes from the "MyProgram_production" certificate, and in fact in the provisioning portal, when I go to create the developer certificate profile for Production I get this error:
You must have a valid Mac Application Certificate to create a Provisioning Profile.
But I already created a valid provisioning profile, as you can see in the image it is there, but the expired one is also there.
My problem is that in the certificates page of the Apple site, the old expired one is not there. There are some old certificates but I have no chance to delete them:
What can I do about this?
After 2 days of total desperation... (I should be used being an Apple Dev for some years now...) I finally resolved my problem...
For who is having the same difficulty the problem was I could not see the expired certificates in my Keychain Access and that is because there was the (strange) option "Hide Expired Certificates" in my comp... I changed Mac and had no idea there was this option...
Why someone should want to hide an expired certificate and not just delete it???
Anyway deleting the expired certs and doing all the certificates again on Apple site did the trick!
You have to revoke and have to create new certificate. It clearly says "You must have a valid Mac Application Certificate to create a Provisioning Profile. So you have to generate valid certificate starting from keychain.
I am trying to create certificates that will allow me to send push notifications on my device and I am total lost. I have used certificates for BETA and distribution but adding push notification is pain.
When I do create certificates for BETA testing, I do the following steps.
From keychain, Request a certificate from a certificate authority.
In Apple Provisioning Portal under Certificates, create a certificate uploading file keychain file.
Assume APP ID is created perfectly and devices are ready.
In Apple Provisioning Portal under Provisioning, I create a new profile and download mobile provisioning file to add to the XCode organizer.
That above steps works and I can BETA test. Now in order to enable push notification, I have setup server which is tested with push notification and is 100% working. When I configure for push notification, I need to upload keychain file. Is that the same file I uploaded under Certificates? There is a file in return which I double click and it gets added to the keychain, am I doing it right?
If I understand your question correctly, the answer is no, it should not be the same file. I'll explain the entire process in detail and hopefully that will clarify the situation (and what you need to do next).
When you enable push notifications, you need to do four things:
Create a private/public key pair.
Create a certificate signing request (CSR), signed with your private key.
Submit the CSR to Apple and download a signed certificate.
Create a file containing your certificate and private key, for validating each APN request.
Some points:
I recommend you use different keys for development (sandbox) and production APN. You can re-use the keys if you are sending notifications to different apps, but it is safer if you don't re-use keys between development and production.
The file you "submit" to the provisioning portal is the certificate request. You will have one CSR file for each certificate. You will create a two CSR for each app (bundleID); one for development, one for production. The CSR created with your development key should be submitted for development and the CSR created with your production key should be submitted for production.
Note: Keep the CSR files. You don't have to have them, but it will save you some time when you need to re-send the certificate requests.
After submitting your CSRs, you will be able to download the actual certificates. They aren't ready immediately, so give Apple a minute or so and then refresh your browser. The difference between the CSR and a certificate is important: the certificate is signed by Apple; it validates your ability to send push notifications. Download the certificates and load them into your keychain (double clicking is fine).
Note: the certificate is useless without your private key; so you will need to safely export your private key if you switch computers.
Any computer sending an APN request will need both the private key and the certificate. You can export them as a single .p12 file using Keychain Access. (I name mine MyAppCertKey.p12 to indicate that the file contains both the certificate and the key.)
Last, I wrote up a detailed explanation on testing / verifying communication with Apple's servers (from the terminal). It's a little complicated since you need to have some root certificates set up for openssl to validate against; however, it will tell you if you are communicating correctly with the servers, without requiring any work on the receiving app itself.
Couldn't able to connect to APNS Sandbox server
Hope that helps.
How can one debug errors related to code-signing and missing certificates? Can I do the process from command line?
In XCode under 'Organizer > Provisioning Profiles', I get 'A valid signing identity matching this profile could not be found in your keychain'. How can I debug this problem?
Possible problems:
The certificates have expired
The certificates have been renewed without updating the application provisions
The private/public keys are missing from keychain. They should have been generated when you created the certificate request.
The certificates and public/private keys are stored in a keychain other than the default one.
I tried all the above solutions with no luck--I was able to solve it by right-clicking on my System keychain (in Keychain Access), and making it the default keychain. Prior to this, my default was set to "Login."