aps_developer_identity.cer to p12 without having to export from Key Chain?

withakay picture withakay · Sep 21, 2009 · Viewed 46.6k times · Source

I have a shed load of 'aps_developer_identity.cer' certificates exported from iPhone Developer portal. They were all created using the same Certificate Signing Request and (thus) the same private key. If I export just the private key from the Apple Key Chain is it then possible to take the private key and the 'aps_developer_identity.cer' and use openssl to create merged p12/pkcs#12 certificate that I can use on my (Windows) server.

Just to be clear, I know how to get a merged p12 from the Key Chain by exporting both the private key and certificate together, but I want to remove all the extra mouse clicking and typing if I can.

Answer

withakay picture withakay · Sep 22, 2009

I managed to work this out, it just needs wrapping up in a shell script and it is good to go. I am assuming you have downloaded and renamed your 'apple_developer_identity.cer' certificate, here I use 'test.cer', and that you have also exported your developer key from your keychain, in the example below named 'private_dev_key.p12'.

#convert *.cer (der format) to pem
openssl x509 -in test.cer -inform DER -out test.pem -outform PEM

#convert p12 private key to pem (requires the input of a minimum 4 char password)
openssl pkcs12 -nocerts -out private_dev_key.pem -in private_dev_key.p12

# if you want remove password from the private key
openssl rsa -out private_key_noenc.pem -in private_key.pem

#take the certificate and the key (with or without password) and create a PKCS#12 format file
openssl pkcs12 -export -in test.pem -inkey private_key_noenc.pem -certfile _CertificateSigningRequest.certSigningRequest  -name "test" -out test.p12

NOTE: If you think this all a bit long winded to achieve what can be done with a few mouse clicks and the typing of the name of a file, then consider the case where you have 20 Apps that you want to enable for notifications. Each App has a development and production certificate, which expire in 4 and 12 months respectively. That is a very boring and error prone job...