I've downloaded the .cer file from developer A/c. Double clicking on it, is adding that file in Certificate section but when am going to key section to export key am not able to see that key. So that I can export it as .p12 file.
this is a common issue, The solution is simple:
Who ever created the developer credentials originally needs to go to the keychain on their computer and right click on the key(s) for private and public and export the key to a file. Then you just download that file on your computer and open it, and it will be added to your keychain.
You need to have both the private key (.pem file) and the certificate for your provisioning profiles.
From :
https://stackoverflow.com/a/12867936/3901620
Related
Let's say an Apple developer program membership has expired, so new code signing certificates cannot be requested from the Apple site. Still I have a backup of:
developerID_application.cer, developerID_installer.cer (and the expiration date is 2024, so it is still valid)
a CertificateSigningRequest.certSigningRequest file from 2 years ago, that was created exactly at the same time than the .cer files
How to install these certificates on a new Mac installation, such that we can use productsign to sign a .pkg installer with them?
Here is what I tried:
Import the .cer files in the "System" Keychain, it seems successful
Import the AppleWWDRCA.cer in the Keychain that I used at the creation time of these certificates (https://developer.apple.com/certificationauthority/AppleWWDRCA.cer), idem
productsign --sign "Developer ID Installer: MyName" myinstaller.pkg myinstaller_signed.pkg
Result:
productsign: error: Could not find appropriate signing identity for "Developer ID Installer: MyName"
I have looked at OS X productsign error: Could not find appropriate signing identity but it does not help here: I only have the 2 .cer files and the .certSigningRequest file. I don't have another Private key file. Also when I open the .certSigningRequest file, I see:
Please specify the issuing Certificate Authority for MyName's certificate request
Issuing CA: Let me choose
What would you like to do?
Create a certificate for yourself
Create a CA
Use your CA to create a certificate for someone else
Request a certificate from an existing CA
Set the default CA
View and evaluate certificates
What to do with this previous .certSigningRequest file?
There is nothing you can do, if the 3 named files is all you have.
*.cer, Is just the public key and some attributes signed by someone else (a CA).
*.certSigningRequest, guessed from the name, is a PKCS#10 - public key and some attributes requested to be signed by someone else (a CA).
What you need is the private key.
If you have a system running or a full system image backup (to be restored) with the private keys in the keychain (~/Library/Keychains/login.keychain-db) you can export them to move to another system:
Start XCode.
In the Menu click Xcode > Preferences.
Click Accounts (top of the window).
Click the gear icon (right of the Delete button in the lower-left corner).
Choose Export Developer Accounts from the pop-up menu.
Xcode encrypts/password-protects the exported file (*.developerprofile).
I'm facing weird situation. For Apple Push Notification I can't export .p12 file from Keychain access. I can highlight both items and click on Export 2 items but after that nothing happens. All steps are correct as I've been doing it all the time. It seems something is wrong with keychain access or my Mac? I did it successfully few days back for another key and it worked, exporting for this old one doesn't work now. I don't think there is any error or problem in generating certificate otherwise it should work for older keys.
Login is selected in left pane. Any suggestions?
This problem also happens when you happen to have selected the wrong keychain (like if you accidentally had single clicked on the System keychain rather than Login keychain). If the cert signing request came from that machine, it would associate the private key with the Login keychain. So if you somehow then downloaded and imported the certificate into the System keychain, Keychain Access would not find the matching private key and would not put the cert under "My certificates", and cannot export a p12. You might as well have tried importing to the keychain on a different Mac.
So, make sure the import is into the keychain associated with the private key. Often this would be the Login keychain.
Rebooting machine worked in my case.
I'm trying to export the APNs certificate as a .p12 file.
but, after I double click on the .cer file, I can't find it under "My Certificates", and I'm not allowed to export it as .p12 file (but .cer, .pem, p7b).
why? I created this certificate on the same computer.
Issue seems to be with you private key. If private key associated with certificate is missing then it will not get displayed in keychain under "My certificates" sections. You can still see under all certificates.
Create a new certificate with new certificate signing request file and try to install it on mac. This may solve your problem.
I ran into this issue and decided I'd just let fastlane do the work: https://docs.fastlane.tools/actions/pem/
It generated the correct files and I was on my way in less than 30 seconds!
Thanks Fastlane!
I just ran into this myself. It seems that if in Keychain Access you try to export the Certificate from the All Items tab, it just tries to export the certificate without the key. When trying to export from the My Certificates tab, it worked as expected and I could export as .p12
Actually we are using two MAC machines to develop a Package in mac using xcode. Only one mac is having a certificate and that is in different country. we exported that certificate for local mac.but when i try to do codesigning using that certificate i am getting error as "Could not find appropriate signing identity for “Developer ID Installer: ID
” I am not able to add the codesign. what are the steps to import a certificate properly.
That message is usually indicative that you don't have the private key necessary for signing, just the certificate, which is insufficient.
For exporting signing identities, your best bet is to use the Accounts preference panel in Xcode.
Launch Xcode on the machine you are sending the signing information from
Choose Xcode > Preferences
Select the Accounts tab
From the gear menu, choose Export Accounts and select the file you want to place the information in and enter a password
Transport the exported identity file to the receiving machine
Follow steps 1-3 on the Receiving machine
From the gear menu, choose Import Accounts and select the file you have just brought over, entering the password when asked.
This should import the entire signing identity, including the certificates, provisioning profiles, and private keys.
Via Keychain Access
If, for some reason, your Xcode on the machine that you are sending the signing information from does not have any accounts listed, you may be signing with a script or from the command line and using the identity information without loading the accounts directly into Xcode's UI. If possible, I would encourage adding your account to Xcode using the Accounts tab in order to get the automatic behaviors that Xcode provides, but it may not be absolutely necessary, especially if you are doing Developer ID only (non AppStore) distribution.
To export from Keychain Access, you will need to export both the Signing Certificate and the Key. The Signing Certificate is also available from Apple's Developer portal, but the key never leaves your machine directly (only a fingerprint of it is sent in the CSR), so if the original key does not exist on a machine that your organization has access to, you may need to Revoke your existing key and create a new one.
To locate your key in Keychain Access do the following:
Launch Keychain Access
Click on My Certificates
Look through the list or use the search box to find your certificate (Searching on Developer ID should yield any Developer ID-related certificates)
Each certificate which has an associated private Key will have a disclosure triangle to the left, click on that to expose the keys
This Key may be exported by selecting the key and certificate (make sure they're both selected, or export them one at a time) and using File > Export Items
Provide a password when prompted to protect the export file
Copy the exported file(s) to your other machine
Use Keychain Access and File > Import Items to import the certificate/key to the new machine
NOTE: If you lose your private key, you will need to revoke your certificate, generate a new key, and create a new signing certificate. Don't do this without first making sure you have no available copies of the key. The specific implications depend on what kind of certificates are signed with the key, but you will need to regenerate all of the certificates that used the previous key.
I am able to generate the required .pem file for Apple Push Notification Service by using the following method:
On Mac, use Keychain Access app to create CSR from Private Key and upload to Provisioning Portal and generate the required Certificate. Download the .cer file and drag/drop it into Keychain Access app. Select both this .cer file and the Private Key and choose Export 2 Items. Save it as .p12 file. Use openssl to convert .p12 to .pem
This method all works fine, except I want to create a script to automate this more.
So is there a way to use Terminal (bash script, Apple script) to create the .p12 file from the downloaded .cer file) and the Private Key stored in Keychain Access?
Thanks
I haven't tried this on Mac, but there is instruction from Adobe (read the second part) how to do this on Windows. AFAIK openssl cli for Mac and Window has has common interface.
I had to do this in order to get the certificates to play nice with our .NET push provider service application, so I turned the conversion process into a shell script. I'm not an expert on the tools being used in the process, so feedback would be appreciated, but it certainly is working for us.
Check the script's opening comments for the steps necessary to get it all to work, and it should spit out a usage line to you if you don't use it properly.
https://gist.github.com/misterwell/7e27d7396724580352f1