I am trying to recreate a Developer ID Application certificate, so I can sign my application. I had an existing certificate, but it's about to expire, so I am trying to regenerate a new one.
However, when I download a newly generated certificate from developer.apple.com, the imported certificate has no key as its child node in Keychain Access. The old certificate had this. When I attempt to use the certificate for code signing I receive something like:
/tmp/myapp.app/Contents/app/bin/myapp.exe: errSecInternalComponent
I am following the instructions to obtain a signed certificate using Certificate Assistant:
Ensuring nothing is selected in Keychain Access, click Keychain Access > Certificate Assistant > Request a Certificate from a Certificate Authority.
I enter my email, accept the default Common Name and click Saved to disk.
In developer.apple.com I click the "+" to Create a New Certificate
I choose Developer ID Application
I upload the CSR I saved above
I download the .cer file that is generated
I open the .cer file. This adds the certificate.
As you can see, the certificate does not have a private key inside it, like the old one:
Unfortunately I don't have the old certificate now having deleted it in a fit of pique but it looked like this:
... although in my case it had my private key.
I've noticed reference to the claim that creating a CSR also creates a public/private key pair, but I cannot see these anywhere in Keychain Access.
Later, I did manage to import the certificate and it show the private key. I think this was when I imported it into the same keychain as that which contains a private key "Dan Gravell" - login. However, I have since tried replicating that and now the certificate is being imported without a key again.
Xcode appearance
I've discovered there's a little more information in Xcode. The certificate shows "Missing Private Key" next to it:
When I look this error up, the suggestions seem to be that the certificate has been given to a developer by some third party that didn't include the private key. However, in my case I am that third party who has created the CSR and received the certificate originally and I thought I had the private key, otherwise I wouldn't have been able to create the CSR in the first place. All these items appear to be in my keychain.
I (eventually) got a reply from Developer Program Support. They issued a new certificate which I installed via XCode this time. I documented my other steps here: https://stackoverflow.com/a/74210449/28190
Related
I have 2 code signing certificates, for both CSR is created same way, also import and export is done same way. The only difference that I see is that one of certificates Common name contains Quotes, and the other doesn't.
e.g.
some cert and
some "cert"
CSR creation
Request format PKCS #10
disabled "Strong private key encryption"
Entered Common name, Organization, Locality, State, Country
2048 bytes for private key
set private key exportable
Import
place all certificates in Personal store
Export
Include all certificates if possible
Enable certificate privacy
encryption algorithm TripleDES-SHA1
Misleading thing is that this Common name value is NOT taken from the value I entered when I created CSR request
I am using those certificates to sign Winforms applications in Visual Studio. Certificate without Quotes in common name is working correctly (i.e. when I install application user is not getting security warning about unknown publisher), but when I install application which is signed with the other Code signing certificate (with Quotes in Common name) - it does not recognize Publisher. No error when published my application. When I take a look at setup.exe properties in Windows Explorer I see a Digital signatures tab which contains row for my certificate.
I tried to sign files with signtool and then verify - it said that certificate is valid.
I tried to get help from godaddy.com where I bought my certificate, they said that it should work with quotes, too, but didn't offer help to solve the issue. Rekey also didn't help.
I see that there are some suggestions to use Pre Publish, Post Build tasks, but I am not using those for my first certificate which is working.
So, is anyone here using code signing certificate for Winforms application with common name having quotes in it? Or maybe anyone knows about this problem and how to solve it?
Had to revoke (common name which is entered when creating CSR is not taken into account, so rekeying is not enough!) my code signing certificate and create from start without quotes/brackets in company name.
So this means, you will have to wait again for few days, because verification process is made from start again. When you will be contacted by issuer, they will verify / ask you about company name - make sure that they do not include quotes/brackets.
Revoking means that you will basically have to buy your certificate once more, because after you revoke it (at least in godaddy case) in your account you don't have options to create it again. So, you have to contact support (use call center and not chat ;)
I downloaded my push notification certificate "aps_developer_identity.cer" from apple developer portal, and installed it. This certificate shows up only in the "certificates" filter and not in "My Certificates" filter in my keychain. Where am I going wrong? I need to export the ".p12" of "aps_developer_identity.cer" and upload it to UrbanAirship for testing purpose. Please help
Make sure that you have the private key signing the certificate in your Keychain. If that's not the case, revoke the old certificate and generate a new one with one of your private keys.
I accidentally deleted the private and public key pair of my certificate, but I can't find anything helpful to undo or add those to my certificate again.
Actually the developement certificate has expired, so i redownloaded the new one.
Than I wanted to add the private/public key to my new certificate. And there it happend, i deleted it.
How can I get these and set them to my actual certificate again.
I had this issue two days ago.
Open Keychain Access
What you have to do is make backups of all your certificates and then go and delete all the private and public keys and certificates on your machine relevant to apple.
Then in Keychain Access click on Keychain Access(Menu Bar) and in the menu select Certificate Assistant -> Request a certificate from a certificate authority.
Enter your details and make sure Saved to disk and Let me specify key chain pair is selected.
Save it.
On the next screen: These values must be:
Key Size: 2048 bits
Algorithm: RSA
You then need to log into the Provisioning Portal on apple's website and revoke all certificates there.
Then click distribution and say Add Certificate and select the file you created earlier.
You can then request all certificates again. Re-download all certificates, once you start opening the downloaded certificates your new key pair and certificate will be in Keychain Access.
If you have any questions check out http://developer.apple.com/ios/manage/distribution/index.action
I am trying to get Xcode 4 working with my svn repository. I type in the svn address, which it says is reachable, but when I try to check out, it comes up with "The server 'svn.testbedapp.com' requires a client certificate." (it doesn't provide the option to supply the certificate) and then it shows "Checking out 'ProjectName'" indefinitely with s pinning wheel.
Any ideas how I supply the certificate or get it checking anything out?
It's a known issue.
Open terminal, type
svn ls <your repository address>
confirm certificates, check login/pass.
After that repo will work fine in xcode.
You can put your certificate file name to SVN configuration file
~/.subversion/servers
In section [global] just add a line (use a full path - not relative)
ssl-client-cert-file = /path/to/your/certificate.p12
Optionally you can add also
ssl-client-cert-password = yourpassphrase
store-passwords = yes
store-ssl-client-cert-pp = yes**
To answer the original question:
The server “foo.example.com” requires a client certificate.
Translation: Xcode can't find the SSL client certificate in your keychain, the certificate is not valid, or if there's multiple certificates, Xcode doesn't know which one to use.
To install a certificate in your keychain: In Finder, open the file that contains your client certificate (typically a .p12 file). Click Add, then enter the password to decrypt the .p12 file. If you have the corresponding root certificate (typically a .pem file), import it as well and click "Always Trust" when prompted.
To make sure the certificate is valid: In Keychain Access, select the client certificate and look for a green checkmark and the words "This certificate is valid".
If you see "This certificate was signed by an unknown authority",
install a corresponding root certificate.
If you see "This certificate was signed by an untrusted issuer", look for where it says "Issued by", find the corresponding root certificate by that name, and mark the root certificate as trusted (at least for X.509 Basic Policy).
If you see "This certificate has expired", delete it and get a new one.
To associate the URL with a specific certificate: You need an identity preference. Xcode can't do this, but both Keychain Access and Safari can. In Keychain Access, select the client certificate and choose File menu > New Identity Preference…. Enter the repository URL (e.g. https://foo.example.com/path/to/repository) and click Add.
Alternatively: In Safari, go to your repository URL. If there are multiple certificates installed, Safari will prompt "The website “foo.example.com” requires a client certificate" and show a list of certificates. Choose the one you installed in step (1).
To get everything working, you also need to get past these two common errors:
Client certificate filename: Authentication realm: https://foo.example.com:443
Translation: Subversion can't find your SSL client certificate on disk.
Xcode uses Keychain, and Subversion itself (as of v1.4) uses Keychain as well for passwords. For certificates, however, Subversion must be pointed to files on disk.
1) Open ~/.subversion/servers in your favorite text editor. At the bottom, add the line
ssl-client-cert-file = /path/to/first.last.p12
where the value is the path to your client certificate in PKCS#12 format.
svn: OPTIONS of 'https://foo.example.com/path/to/repository': SSL handshake failed, client certificate was requested: SSL error: sslv3 alert handshake failure
Translation: Subversion can't find the password to decrypt your SSL client certificate.
See explanation above.
To save your .p12 password in Keychain: In Terminal, type
svn ls https://foo.example.com/path/to/repository
When prompted, enter the password for the .p12 file. This will be stored in your keychain as an application password.
When prompted, enter the administrator password for your Mac.
When prompted, enter your server credentials. This will also be stored in your keychain as an application password.
At this point, you should see the contents of your repository displayed in Terminal.
Note: If you use Versions by Black Pixel, at least v1.2.2 seems to have trouble using Keychain for passwords, so in ~/.subversion/servers you'll also need to add the line
ssl-client-cert-password = yourpassword
where your password is in cleartext. (This is obviously not secure, so don't do it unless you have to.)
I am unable to install a mobile provisioning certificate on iOS 5 because I get this error:
The container "…" must contain only one certificate and its private key.
I used the same process that worked in the past but on iOS 5 it doesn't work and I have no idea how to export my certificate in a "desirable" state.
I was able to fix this by exporting the private key from the "Certificates" Category of Keychain, rather than exporting the Key directly.
So export the NAME of the cert, not the private key itself, and you should be good to go.
I think a more specific answer is that you...
open up Keychain app
(I am assuming you already have the key pair of your Identity in a keychain )
Like #Brent Shaffer says, choosing from "Certificates" is more straight forward
(The reason being is that the Keychain App logically groups the Certificate and private key for identities when using the "Certificates" view)
SHIFT-select both your SMIME certificate and its corresponding private key
right-click the selection and choose 'Export 2 Items'
Save as a (.p12) file with a very strong password
email the .p12 file to your email account
And from your iphone Mail app you can tap the .p12 file
and Mail will suggest to import this as a Profile. You will need the password from earlier.