You don't need a Mac to do this :-)
For generating PKPass files, you'll need 4 things after this tutorial:
- Certificate Identifier (pass.com.example.www)
- Team Identified (Organizational Unit (OU) in the cert generated by Apple)
- The .p12 file
- The password for the .p12 file
- Login on https://developer.apple.com/account/
- Click Certificates, Identifiers & Profiles
- Click on Identifiers
- On the right, filter to Pass Type IDs
- Register a New Identifier, choose Pass Type IDs
- Enter Description and Identifier
- Finalize by clicking Register
- Go to terminal and generate a private key (.key)
openssl genrsa -out pkpass.key 2048
- Generate a certificate singing request (.csr)
openssl req -new -key pkpass.key -out pkpass.csr
Fill in the fields with your own data but leave Challenge password empty (press Enter).
- On the Developer Portal choose the newly created identifier from the list and click Create Certificate.
- Leave the Certificate name empty and upload the .csr file
- On the next page click Download and save the downloaded
pass.cer
to the folder with the .key and .csr files - Download Apple's root certificate (Apple Worldwide Developer Relations Certification Authority)
wget http://developer.apple.com/certificationauthority/AppleWWDRCA.cer
- Convert .cer files to .pem format
openssl x509 -inform der -in AppleWWDRCA.cer -out AppleWWDRCA.pem
openssl x509 -inform der -in pass.cer -out pass.pem
- Generate the .p12 certificate by using the private key, your certificate and Apple's certificate
openssl pkcs12 -export -clcerts -inkey pkpass.key -in pass.pem -certfile AppleWWDRCA.pem -name "Company Name" -out pkpass.p12
You'll be requested to enter a password. Choose a strong password here. You'll use this password with the .p12 certificate when generating PKPass files.
Please note that the .p12 contains both certificates and a private key as well. Make sure that you distribute it securely to the server that will generate PKPass files and that it is only readable by the PKPass generator application.
- You can check the contents of your newly created .p12 certificate
openssl pkcs12 -in pkpass.p12 -nodes
Please note the OU
field of the first certificate in the output. This is your Team Identifier.
- Create a reminder in your calendar with the expiration date of your certificate.
openssl x509 -in pass.pem -noout -enddate
Hey @rlanyi ! Thanks so much! This is all excellent and got me so close to succeeding in my task too.
I wasn't doing a PKPass cert, but I was getting a new Apple Push certificate for my Python app running on Ubuntu - using the
Pr0Ger/PyAPNs2
library. But although your steps got me close, with the G4 certificate it didn't work - I just got errors like this in my app:[SSL: TLSV1_ALERT_UNKNOWN_CA] tlsv1 alert unknown ca (_ssl.c:1076)
I messed around for ages to get it working, and thought I'd share in case someone else hits the same snag - which they probably will since the current batch of push certs are expiring and all new ones are G4 ones.
Fundamentally I needed two CA certs that my computer couldn't see:
So I needed to download both of these:
https://www.apple.com/appleca/AppleIncRootCertificate.cer
https://www.apple.com/certificateauthority/AppleWWDRCAG4.cer
Convert them both to pem files:
Combine them into one file, called AppleCerts.pem in a text editor, looking like this:
And then use, instead of your final command:
openssl pkcs12 -export -clcerts -inkey pkpass.key -in aps.pem -certfile AppleCerts.pem -name "Company Name" -out pkpass.p12 -chain
Once I had done that I could use this to generate the pem file I needed for
Pr0Ger/PyAPNs2
to work:openssl pkcs12 -in pkpass.p12 -nodes -out the-final.pem
And if it's all working you should be able to verify it like this:
openssl verify -CAfile AppleCerts.pem the-final.pem
Even after that, there's one final obstacle - the pem worked on my dev machine but still didn't work on the server Ubuntu box.
I needed to make OpenSSL aware of those CA certs too, so I copied the
AppleIncRootCertificate.pem
andAppleWWDRCAG4.pem
files to my Linux box, renamed them to end with.crt
rather than.pem
and moved them to here:/usr/local/share/ca-certificates
And then ran:
sudo update-ca-certificates
It should tell you it installed two certificates:
Once you've done that, OpenSSL is ready to use your new PEM file.
Apple likes to make this stuff as complicated as possible, right? There's no other web service in the world where you have to jump through these hoops to send a message.