aps_developer_identity.cer to p12 without having to export from Key Chain ??

Question

I have a shed load of 'aps_developer_identity.cer' certificates exported from iPhone Developer portal. They were all created using the same Certificate Signing Request and (thus) the same private key. If I export just the private key from the Apple Key Chain is it then possible to take the private key and the 'aps_developer_identity.cer' and use openssl to create merged p12/pkcs#12 certificate that I can use on my (Windows) server.

Just to be clear, I know how to get a merged p12 from the Key Chain by exporting both the private key and certificate together, but I want to remove all the extra mouse clicking and typing if I can.

Thanks in advance.

Answer 1

I managed to work this out, it just needs wrapping up in a shell script and it is good to go. I am assuming you have downloaded and renamed your 'apple_developer_identity.cer' certificate, here I use 'test.cer', and that you have also exported your developer key from your keychain, in the example below named 'private_dev_key.p12'.

#convert *.cer (der format) to pem
openssl x509 -in test.cer -inform DER -out test.pem -outform PEM

#convert p12 private key to pem (requires the input of a minimum 4 char password)
openssl pkcs12 -nocerts -out private_dev_key.pem -in private_dev_key.p12

# if you want remove password from the private key
openssl rsa -out private_key_noenc.pem -in private_key.pem

#take the certificate and the key (with or without password) and create a PKCS#12 format file
pkcs12 -export -in test.pem -inkey private_key_noenc.pem -certfile _CertificateSigningRequest.certSigningRequest  -name "test" -out test.p12

NOTE: If you think this all a bit long winded to achieve what can be done with a few mouse clicks and the typing of the name of a file, then consider the case where you have 20 Apps that you want to enable for notifications. Each App has a development and production certificate, which expire in 4 and 12 months respectively. That is a very boring and error prone job...

Answer 2

I'm currently using .pem files that look like this:

Bag Attributes
    friendlyName: Apple Production Push Services: A9G1EK2CDF:8Q2MGGN2Q9
    localKeyID: A1 F2 01 89 13 9B Z7 E9 90 BE AF 42 94 96 08 21 38 A5 98 AE 
subject=/UID=com.company.name.myid/CN=Apple Production Push Services: A9G1EK2CDF:8Q2MGGN2Q9/C=US
issuer=/C=US/O=Apple Inc./OU=Apple Worldwide Developer Relations/CN=Apple Worldwide Developer Relations Certification Authority
-----BEGIN CERTIFICATE-----
data
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
data

And I make them through a bunch of mouse clicks. I tried using your:

openssl x509 -in test.cer -inform DER -out test.pem -outform PEM

to convert the .cer from apple to a pem and then just tack on the private_key_noenc.pem to the end. It looks very similiar but missing the "Bag Attributes" at the top. Are those important? When I try using that final .pem push doesn't work so it must be slightly wrong. Do I use my private dev key or private distribution key?

Also your end result is a .p12 file. Should I be using those on the server (php server) to send push messages vs. .pem files?

Thanks!