OpenSSL pkcs12 export fails when specifying CSR file

0
votes

I'm attempting to create a p12 file for use with PushSharp to send iOS push notifications. I used this exact process a year ago to renew our certificates and it worked fine; but now it's failing at the final step.

Here is what I'm doing:

  1. Create a certificate signing request in Keychain Access, as a file named CertificateSigningRequest.certSigningRequest
  2. Export the private key from Keychain Access, saving the file as private_key.p12
  3. Go to developer.apple.com, create a production Apple Push Services certificate using the CSR file from step 1, download the file as aps.cer
  4. Run the following commands in a shell (pretty much identical to what one finds on some other Stack Overflow posts):
openssl x509 -in aps.cer -inform DER -out app_cert.pem -outform PEM

openssl pkcs12 -nocerts -out private_key.pem -in private_key.p12

openssl rsa -out private_key_noenc.pem -in private_key.pem

openssl pkcs12 -export -in app_cert.pem -inkey private_key_noenc.pem -certfile CertificateSigningRequest.certSigningRequest -name "MyAppName" -out pushsharp.p12

The final openssl command fails with this error:

unable to load certificates

I haven't been able to figure out what I'm doing wrong; this is all in a script that worked fine a year ago. I was able to get the openssl pkcs12 -export command to succeed by removing the -certfile CertificateSigningRequest.certSigningRequest argument, but I believe the p12 file generated by this will not work with PushSharp.

1
opensslapple-push-notificationspushsharp
It looks incorrect to give a certificate signing request file (CertificateSigningRequest.certSigningRequest) as a value for -certfile. The error seems appropriate, since that is not a certificate file. What is the purpose of including that file? - Reinier Torenbeek
These openssl commands are part of a script that we've used for a couple of years as part of the process for renewing certificates for Apple push notification services. Specifically to generate a .p12 file that is compatible with the PushSharp library on our .NET web servers. If I recall correctly, it needs to be done this way for PushSharp to work correctly; I haven't had a chance yet to test it with a p12 generated with that -certfile param. - Mike Mertsock
Sorry, typo: I haven't had a chance to test PushSharp with a p12 file generated without the certfile param - Mike Mertsock

1 Answers

2
votes

Don't try to give a CSR file as parameter of -certfile.

-certfile can be used for adding additional certificates to the store.

For example CA certificates chain of the app_cert.pem:

    openssl pkcs12 -export -in app_cert.pem -inkey private_key_noenc.pem \
                -certfile ca_certificates.pem -name "MyAppName" -out pushsharp.p12

Usually there is no need to use CSR, if the corresponding certificate already exists.