问题
I have a shed load of 'aps_developer_identity.cer' certificates exported from iPhone Developer portal. They were all created using the same Certificate Signing Request and (thus) the same private key. If I export just the private key from the Apple Key Chain is it then possible to take the private key and the 'aps_developer_identity.cer' and use openssl to create merged p12/pkcs#12 certificate that I can use on my (Windows) server.
Just to be clear, I know how to get a merged p12 from the Key Chain by exporting both the private key and certificate together, but I want to remove all the extra mouse clicking and typing if I can.
回答1:
I managed to work this out, it just needs wrapping up in a shell script and it is good to go. I am assuming you have downloaded and renamed your 'apple_developer_identity.cer' certificate, here I use 'test.cer', and that you have also exported your developer key from your keychain, in the example below named 'private_dev_key.p12'.
#convert *.cer (der format) to pem
openssl x509 -in test.cer -inform DER -out test.pem -outform PEM
#convert p12 private key to pem (requires the input of a minimum 4 char password)
openssl pkcs12 -nocerts -out private_dev_key.pem -in private_dev_key.p12
# if you want remove password from the private key
openssl rsa -out private_key_noenc.pem -in private_key.pem
#take the certificate and the key (with or without password) and create a PKCS#12 format file
openssl pkcs12 -export -in test.pem -inkey private_key_noenc.pem -certfile _CertificateSigningRequest.certSigningRequest -name "test" -out test.p12
NOTE: If you think this all a bit long winded to achieve what can be done with a few mouse clicks and the typing of the name of a file, then consider the case where you have 20 Apps that you want to enable for notifications. Each App has a development and production certificate, which expire in 4 and 12 months respectively. That is a very boring and error prone job...
回答2:
Awesome work here. Thanks for the real help guys. I have dropped in my shell script below that may help others. I have several of the keys to deal with and wanted a script as well. This script will output static names for the output files (though that would be simple to change).
I hope it helps someone else.
example usage (assuming script name):
$ . thisScript request_file.cer priv_key.p12 aps_dev.cer
The script:
if [ $# -ne 3 ]
then
echo "Error in $0 - Invalid Argument Count"
echo "Syntax: $0 request_cer_file p12_file app_cer_file output_filename"
echo " - request_cer_file is the request file you sent to apple"
echo " - p12_file is found in your keychain (it's the private key)"
echo " - app_cer_file is found on App ID screen from Apple"
else
reqFile=$1
p12File=$2
cerFile=$3
certPEM='apn_cert.pem'
pKeyPEM='apn_pkey.pem'
pKeyNoEncPEM='apn_pkey_noenc.pem'
p12FileOut='apn_cert_key.p12'
# remove old
rm $certPEM
rm $pKeyPEM
rm $pKeyNoEncPEM
rm $p12FileOut
#convert *.cer (der format) to pem
openssl x509 -in $cerFile -inform DER -out $certPEM -outform PEM
#convert p12 private key to pem (requires the input of a minimum 4 char password)
openssl pkcs12 -nocerts -out $pKeyPEM -in $p12File
# if you want remove password from the private key
openssl rsa -out $pKeyNoEncPEM -in $pKeyPEM
#take the certificate and the key (with or without password) and create a PKCS#12 format file
openssl pkcs12 -export -in $certPEM -inkey $pKeyNoEncPEM -certfile $reqFile -name "apn_identity" -out $p12FileOut
#
#
# If all things worked then the following should work as a test
# openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert apn_cert.pem -key apn_pkey_noenc.pem
#
#
echo "Looks like everything was successful"
echo "Test command:"
echo "openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert apn_cert.pem -key apn_pkey_noenc.pem"
echo
fi
回答3:
You can make p12/pkcs#12 certificate directly in keychain. No need of executing any command.
1.double click on your developer/production cert file downloaded from apple dev site.(It'll be added in keychain)
2.I assume you have .p12 file which you got from exporting private key
3.go to My Certificates tab under keychain.
just click on your dev/prod certificate for APN.it should show private key associated with it
4.Right click and Export certificate in .p12 format
thats final .p12 file !!
来源:https://stackoverflow.com/questions/1453286/aps-developer-identity-cer-to-p12-without-having-to-export-from-key-chain