How do I create a .pem file to be stored in the hosting server for APN payload data?
->> Apple's own tutorial <<- is the only working set of instructions I've come across. It's straight forward and I can confirm it works brilliantly on both a linux php server and a windows php server.
You can find their 5-step pem creation process right at the bottom of the page.
Here is what I did, From:blog.boxedice.com and "iPhone Advanced Projects" chapter 10 byJoe Pezzillo.
With the aps_developer_identity.cer in the keychain:
apns-dev-cert.p12
file somewhere you can access it. There is no need to enter a password.The next command generates the cert in Mac’s Terminal for PEM format (Privacy Enhanced Mail Security Certificate):
openssl pkcs12 -in apns-dev-cert.p12 -out apns-dev-cert.pem -nodes -clcerts
On the server set the file permission of this unencrypted key by using chmod 400.
Development Phase:
Step 1: Create Certificate .pem from Certificate .p12
openssl pkcs12 -clcerts -nokeys -out apns-dev-cert.pem -in apns-dev-cert.p12
Step 2: Create Key .pem from Key .p12
openssl pkcs12 -nocerts -out apns-dev-key.pem -in apns-dev-key.p12
Step 3 (Optional): If you want to remove pass phrase asked in second step
openssl rsa -in apns-dev-key.pem -out apns-dev-key-noenc.pem
Step 4: Now we have to merge the Key .pem and Certificate .pem to get Development .pem needed for Push Notifications in Development Phase of App.
If 3rd step was performed, run:
cat apns-dev-cert.pem apns-dev-key-noenc.pem > apns-dev.pem
If 3rd step was not performed, run:
cat apns-dev-cert.pem apns-dev-key.pem > apns-dev.pem
Step 5: Check certificate validity and connectivity to APNS
If 3rd step was performed, run:
openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert apns-dev-cert.pem -key apns-dev-key-noenc.pem
If 3rd step was not performed, run:
openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert apns-dev-cert.pem -key apns-dev-key.pem
Production Phase:
Step 1: Create Certificate .pem from Certificate .p12
openssl pkcs12 -clcerts -nokeys -out apns-pro-cert.pem -in apns-pro-cert.p12
Step 2: Create Key .pem from Key .p12
openssl pkcs12 -nocerts -out apns-pro-key.pem -in apns-pro-key.p12
Step 3 (Optional): If you want to remove pass phrase asked in second step
openssl rsa -in apns-pro-key.pem -out apns-pro-key-noenc.pem
Step 4: Now we have to merge the Key .pem and Certificate .pem to get Production .pem needed for Push Notifications in Production Phase of App.
If 3rd step was performed, run:
cat apns-pro-cert.pem apns-pro-key-noenc.pem > apns-pro.pem
If 3rd step was not performed, run:
cat apns-pro-cert.pem apns-pro-key.pem > apns-pro.pem
Step 5: Check certificate validity and connectivity to APNS.
If 3rd step was performed, run:
openssl s_client -connect gateway.push.apple.com:2195 -cert apns-pro-cert.pem -key apns-pro-key-noenc.pem
If 3rd step was not performed, run:
openssl s_client -connect gateway.push.apple.com:2195 -cert apns-pro-cert.pem -key apns-pro-key.pem
Steps:
This gives you three files:
PushChatKey.p12
)aps_development.cer
Go to the folder where you downloaded the files, in my case the Desktop:
$ cd ~/Desktop/
Convert the .cer file into a .pem file:
$ openssl x509 -in aps_development.cer -inform der -out PushChatCert.pem
Convert the private key’s .p12 file into a .pem file:
$ openssl pkcs12 -nocerts -out PushChatKey.pem -in PushChatKey.p12
Enter Import Password:
MAC verified OK
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
You first need to enter the passphrase for the .p12 file so that openssl can read it. Then you need to enter a new passphrase that will be used to encrypt the PEM file. Again for this tutorial I used “pushchat” as the PEM passphrase. You should choose something more secure. Note: if you don’t enter a PEM passphrase, openssl will not give an error message but the generated .pem file will not have the private key in it.
Finally, combine the certificate and key into a single .pem file:
$ cat PushChatCert.pem PushChatKey.pem > ck.pem
I never remember the openssl
command needed to create a .pem
file, so I made this bash script to simplify the process:
#!/bin/bash
if [ $# -eq 2 ]
then
echo "Signing $1..."
if ! openssl pkcs12 -in $1 -out $2 -nodes -clcerts; then
echo "Error signing certificate."
else
echo "Certificate created successfully: $2"
fi
else
if [ $# -gt 2 ]
then
echo "Too many arguments"
echo "Syntax: $0 <input.p12> <output.pem>"
else
echo "Missing arguments"
echo "Syntax: $0 <input.p12> <output.pem>"
fi
fi
Name it, for example, signpem.sh
and save it on your user's folder (/Users/<username>
?). After creating the file, do a chmod +x signpem.sh
to make it executable and then you can run:
~/signpem myCertificate.p12 myCertificate.pem
And myCertificate.pem
will be created.