Generate PEM from private key, Apple CER

1
votes

I am trying to create a .pem file for the Apple Push Notification service, but can't find an easy way to generate it.

I do not have access to an Apple computer, so Apple's instructions are useless. Using Windows 10.

What I did:

  1. Made a CSR + private key through a generator (specifically, WHM). They are in plain text format
  2. Created a CSR file with the .certSigningRequest extension by copy&pasting the request into the file
  3. Uploaded the CSR to the Apple dev center and got back a certificate, in the CER format, courtesy of Apple

So in the end, I have the private key in plain text format and the cert in CER format.

However, I read that CER is supposed to just be a CRT with a different extension; that, however, does not appear to be the case, and I don't know how to extract the plain-text certificate from the CER file I received in order to make a PEM. Also I'm not quite sure on how to generate a p12 file from the stuff I have (this is listed as one of the possible easy ways to make a PEM).

The question is, either: is it possible to extract the plain-text cert from the CER file? Or alternatively, convert it to PEM along with the private key somehow? (I have OpenSSL)

Update: I was able to extract the text part of the CER, turns out Apple CERs are in DER format, so it's possible to use:

openssl x509 -in cert.cer -inform DER -out cert.crt

There is still a problem however: a PEM also contains some kind of data in between the key and the certificate (bag attributes, key attributes), not sure how to generate it. Investigating now but an answer would be very helpful!

1
sslapple-push-notificationspem
You could install it in the certificate store on the Windows machine where you generate the private key, then export it to a .pfx (same as .p12)Mathias R. Jessen
Thanks. The thing is, I generated the key on a different machine and only had it in plain text. In most cases with Apple it's possible to just generate a new CSR/key pair on Windows and do this process properly, but I was trying to use an existing CSR/key pair.Ynhockey

1 Answers

1
votes

OK so I think I figured it out. Still haven't tested if it works with real APNs, but APNs are quirky and could not work for a million reasons, and the PEM looks good, so here is what needs to be done (with OpenSSL), assuming you have cert.cer and cert.key (the plain-text private key):

  1. Create plain-text certificate from CER: openssl x509 -in cert.cer -inform DER -out cert.crt
  2. Create PFX from CER and KEY: openssl pkcs12 -export -out cert.pfx -inkey cert.key -in cert.crt
  3. Convert PFX to PEM: openssl pkcs12 -in cert.pfx -out cert.pem -nodes

I tried shortening this process by combining 2 and 3, but it didn't generate a plain-text PEM.

Update: It worked with real APNs, so indeed this is a solution.