Skip to content

Instantly share code, notes, and snippets.

@rlanyi

rlanyi/PKPass.md

Last active June 3, 2024 10:38
Show Gist options
  • Save rlanyi/f3edad3bd2f1753a937f8a0c6182d55a to your computer and use it in GitHub Desktop.
Save rlanyi/f3edad3bd2f1753a937f8a0c6182d55a to your computer and use it in GitHub Desktop.
Download ZIP
How to create Apple PKPass .p12 certificate using Linux
Raw
gistlog.yml
published: true
Raw
PKPass.md

How to create Apple PKPass .p12 certificate using Linux

You don't need a Mac to do this :-)

For generating PKPass files, you'll need 4 things after this tutorial:

  • Certificate Identifier (pass.com.example.www)
  • Team Identified (Organizational Unit (OU) in the cert generated by Apple)
  • The .p12 file
  • The password for the .p12 file
  1. Login on https://developer.apple.com/account/
  2. Click Certificates, Identifiers & Profiles
  3. Click on Identifiers
  4. On the right, filter to Pass Type IDs
  5. Register a New Identifier, choose Pass Type IDs
  6. Enter Description and Identifier
  7. Finalize by clicking Register
  8. Go to terminal and generate a private key (.key)
openssl genrsa -out pkpass.key 2048
  1. Generate a certificate singing request (.csr)
openssl req -new -key pkpass.key -out pkpass.csr

Fill in the fields with your own data but leave Challenge password empty (press Enter).

  1. On the Developer Portal choose the newly created identifier from the list and click Create Certificate.
  2. Leave the Certificate name empty and upload the .csr file
  3. On the next page click Download and save the downloaded pass.cer to the folder with the .key and .csr files
  4. Download Apple's root certificate (Apple Worldwide Developer Relations Certification Authority)
wget http://developer.apple.com/certificationauthority/AppleWWDRCA.cer
  1. Convert .cer files to .pem format
openssl x509 -inform der -in AppleWWDRCA.cer -out AppleWWDRCA.pem
openssl x509 -inform der -in pass.cer -out pass.pem
  1. Generate the .p12 certificate by using the private key, your certificate and Apple's certificate
openssl pkcs12 -export -clcerts -inkey pkpass.key -in pass.pem -certfile AppleWWDRCA.pem -name "Company Name" -out pkpass.p12

You'll be requested to enter a password. Choose a strong password here. You'll use this password with the .p12 certificate when generating PKPass files.

Please note that the .p12 contains both certificates and a private key as well. Make sure that you distribute it securely to the server that will generate PKPass files and that it is only readable by the PKPass generator application.

  1. You can check the contents of your newly created .p12 certificate
openssl pkcs12 -in pkpass.p12 -nodes

Please note the OU field of the first certificate in the output. This is your Team Identifier.

  1. Create a reminder in your calendar with the expiration date of your certificate.
openssl x509 -in pass.pem -noout -enddate
@rlanyi
Copy link
Author

rlanyi commented Nov 13, 2022

@jamiembrown very nice, thanks for the detailed description!

@jrmadsen67
Copy link

Thanks for these instructions - this was incredibly helpful!

Couple of update notes:

You now need the G4 certificate version or better (you can find them all at https://www.apple.com/certificateauthority/ )

so wget http://developer.apple.com/certificationauthority/AppleWWDRCA.cer
becomes: wget https://www.apple.com/certificateauthority/AppleWWDRCAG4.cer

and then change to AppleWWDRCAG4 throughout the steps

@Corneliuus
Copy link

What is the purpose of creating the .p12 certificate? Can't you sign the passes just by using the two .pem files and your private key created in step 8?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment