I am attempting to configure a Notification Hub for APNS in Azure Portal. There are two options: Certificate and Token. The certificate option is redundant as it only takes p12 certifcates and Apple now only does p8 certificates.
For the Token option, I am presented with the following fields: Key Id, Bundle Id, Team Id, and Token.
I have already created a p8 certificate, and have entered the values for all the above fields except the Token field. Where do I get the token? Is it the private key that is contained in the p8 certificate?
Update
According to Microsoft, Token refers to the key or private key 'obtained from the p.8 file': source
According to Microsoft, Token refers to the key or private key 'obtained from the p.8 file': source
Related
I am trying to recreate a Developer ID Application certificate, so I can sign my application. I had an existing certificate, but it's about to expire, so I am trying to regenerate a new one.
However, when I download a newly generated certificate from developer.apple.com, the imported certificate has no key as its child node in Keychain Access. The old certificate had this. When I attempt to use the certificate for code signing I receive something like:
/tmp/myapp.app/Contents/app/bin/myapp.exe: errSecInternalComponent
I am following the instructions to obtain a signed certificate using Certificate Assistant:
Ensuring nothing is selected in Keychain Access, click Keychain Access > Certificate Assistant > Request a Certificate from a Certificate Authority.
I enter my email, accept the default Common Name and click Saved to disk.
In developer.apple.com I click the "+" to Create a New Certificate
I choose Developer ID Application
I upload the CSR I saved above
I download the .cer file that is generated
I open the .cer file. This adds the certificate.
As you can see, the certificate does not have a private key inside it, like the old one:
Unfortunately I don't have the old certificate now having deleted it in a fit of pique but it looked like this:
... although in my case it had my private key.
I've noticed reference to the claim that creating a CSR also creates a public/private key pair, but I cannot see these anywhere in Keychain Access.
Later, I did manage to import the certificate and it show the private key. I think this was when I imported it into the same keychain as that which contains a private key "Dan Gravell" - login. However, I have since tried replicating that and now the certificate is being imported without a key again.
Xcode appearance
I've discovered there's a little more information in Xcode. The certificate shows "Missing Private Key" next to it:
When I look this error up, the suggestions seem to be that the certificate has been given to a developer by some third party that didn't include the private key. However, in my case I am that third party who has created the CSR and received the certificate originally and I thought I had the private key, otherwise I wouldn't have been able to create the CSR in the first place. All these items appear to be in my keychain.
I (eventually) got a reply from Developer Program Support. They issued a new certificate which I installed via XCode this time. I documented my other steps here: https://stackoverflow.com/a/74210449/28190
I'd like to understand how to obtain a private key for Developer ID Application or Developer ID Installer certificates?
Developer ID certificates may be created only by Account Holder https://developer.apple.com/support/roles/ - done
I have Developer ID Application certificate.
But there is missing private key.
Where may I find the appropriate private key?
To share Developer ID certificates the person who is Account Holder should:
Crete Developer ID certificate on developer account https://developer.apple.com/
Import it to keychain
Export certificate together with private key as p12 file
Share to developer p12 file with password
Ask the person who created this certificate to export the certificate and send it to you. Or any other existing developer who is already using this certificate.
You can not download private keys from the apple developer portal.
I have one WinServer 2008 Domain controller and a CA server on it.
I log in with the Administrator account and want to request a certificate "on behalf" of a user of my DC.
for doing that, at first I duplicated these certificate templates:
smart login
smart user
enrolment agent
I changed configuration and permission for new templates so that Administrator account can read, write and enrol for these templates.
After creating these new templates and assigning permissions and configuration, from mmc and certificate snap-in, for user account certificates, and for "Personal" section, we requested a new certificate for Administrator account to make it an enrollment agent as shown below:
then it is generated with no problem and we want to request a certificate on behalf of a user with this new certificate. But, in "Select enrolment agent certificate" and when we click on "Browse" button, we have a problem because there is no certificate to select, as shown below:
there is no certificate available to choose
I read a lot of documents online but I did not find the reason to solve this problem!
You need an enrollment agent certificate in the local user store (certmgr.msc)/machine store (certlm.msc) to request on behalf of. This is done by setting the signature count on the template.
If the signature count is not 0 you cannot enroll - because you first need an enrollment agent certificate...
Set the signature count on the enrollment agent certificate template to 0.
Enroll an enrollment agent certificate - dialog will not pop up
Set the signature count on another certificate template to 1.
Enroll a certificate based on the template in step 3. Dialog will pop up. Select certificate enrolled in step 2. Done
I have same problem too (cannot choose existing enrollment cert).
The solution (maybe):
Check the access to published crl and/or refresh the crl cache on your enrollment workstation.
From elevated command line:
Delete the old cache: certutil -urlcache crl delete
Resync the crl cache: certutil -setreg chain\ChainCacheResyncFiletime #now
I tried using the code provided here: https://github.com/Azure-Samples/active-directory-javascript-singlepageapp-dotnet-webapi-v2
It works for both MSA and Azure AD authentication. I need to know whether the email address entered was MSA or Azure AD. Is there a way to find that out from the response?
In the id_token you get back, there's a iss (issuer) claim.
This claim contains the user's tenant.
If the user used a Microsoft Account (MSA), their issuer claims will contain the following GUID for the MSA tenant: 9188040d-6c67-4c5b-b112-36a304b66dad
The full value of the issuer will be:
https://login.microsoftonline.com/9188040d-6c67-4c5b-b112-36a304b66dad/v2.0
Any other GUID indicates that the user signed in using Azure AD and the GUID value will represent their Azure AD tenant.
For more information check out the id_token section of the Token Reference documentation.
Can anyone confirm that after changing the Apple Push Certificate to follow the new steps, you have to re-enroll all the devices?
I have tried creating the CSR based on the existing P12 key store, and afterwards creating a new P12 key store with the Apple signed public key. When using this new key store I am able to enroll devices, but all devices already enrolled needs to be re-enrolled.
After much search I found the answer at McAfee.
If you obtained your previous MDM certificate using an Apple Developer's Account your old certificate has been migrated to the new Apple Push Certificates Portal...
This explains everything. A my work we have one idep user that created the old certificate for me. When I signed in using my own Apple ID, naturally I was not able to see the migrated certificate.