Generating iOS Push Certificates (including .p12's and .pem's)

Every time I've created a new app with push notifications, I have to go through the headache of setting them up. On Android it's rediculously easy, just saying!

Every time I do it on iOS, I'm sure I've got everything right and then something refuses to work.

Setting up push notifications sucks!

Yeah, Mr. Franco, I'm pretty disappointed too. So this time I'm writing it down so I can't possibly get it wrong again.

The first thing to do is obviously set up your app ID and it's provisioning profiles. I'm not going to go into this, but a here's the official documentation for it, and it's pretty 👍. You should have something that looks like this:

Development certificates

Click on the two, and download them to your computer, and then double click them to open (and install) them into your keychain. This is just as important if you are renewing your certificates.

So here goes, let's set up (or renew) push notifications.

Click the + button at the top right of the screen shown in the screenshot above and follow the instructions. Do this for both Apple Push Notification service SSL (Sandbox) and for Apple Push Notification service SSL (Production). These instructions are pretty simple. Hopefully this was easy. This will create two new certificates for you. These are ssl certificates signed with the private key from your computer (which was generated with the cert signing request).

You should have something like this:

Development and push certificates

Now click on each of the newly created certificates (they should say APNs Development iOS and APNs Production iOS in the Type column), and click 'Download'. Once they're on your computer, double click them to install them into your keychain.

In Keychain Access, you should see your two certicates installed. (You can search for them if you aren't sure where they are). Mine look like this:

My certifcates in Keychain Access

Click on the dropdown arrow to the left of each one, and confirm you can see the private key for each. If there is no dropdown it means the private key is not in your keychain. This probably means the keys for your development account are not installed on your mac. Go to the certificates page from earlier and make sure you install your development and distribution identity certificates.

Great, your push credentials are sorted. Now you need to do something with them.

Uploading to Parse / Urban Airship / Something that needs .p12s

Parse an others make things really easy for you by only needing you to upload .p12 files. To do this, click on the push certificate in Keychain Access and click export:

Exporting a certifcate in Keychain Access

In the save window, change the file format to .p12. If this option is greyed out, it means the private key isn't installed on your computer. You need to install the devleopment and distribution certificates mentioned at the top of this tutorial.

Parse requires that you don't enter a password here when your exporting. I'm sure most others require the same, so it's best to just leave the passwords empty.

Do this again for the other certificate. Then, upload these .p12 files to your push provider (in Parse you do it in Settings > Push).

Generating PEMs and decrypted PEMs

This is way more complicated and is the whole reason I'm writing this. It's so easy to get wrong.

The library I use for push notifications needs decrpyted pem files for the private key and certificate seperately, which is rather annoying. For the rest of this, I'm going to assume that you saved the certificates with the defualt names (aps_development.cer and aps_production.cer).

First, open Keychain Access again and find your push certificates. Expand them both to expose the private key for each of them, like so:

Exposing the private key in Keychain Access

Right click on the development key, and click export. Save this file as aps_dev_key.p12 (so you don't have to edit my following commands). Do the same for the production key (save as aps_prod_key.p12). Please save this into the same folder as our .cer files you downloaded earlier. When prompted for a password, feel free to enter one.

Now, open terminal and cd into the this folder and run:

openssl x509 -inform der -in aps_development.cer -out aps_dev_cert.pem
openssl x509 -inform der -in aps_production.cer -out aps_prod_cert.pem

This will convert the certificates into pem format.

Now we need to convert the keys into .pems. Run:

openssl pkcs12 -nocerts -in aps_dev_key.p12 -out aps_dev_key.pem
openssl pkcs12 -nocerts -in aps_prod_key.p12 -out aps_prod_key.pem

This step will ask you to enter the password for the .p12 file and then enter another password to encrypt the pem file.

Many services will only need you to go up to this step, but my library requires decrypted certificates (how safe this is I don't really know).

To decrypt it, run:

openssl rsa -in aps_dev_key.pem -out aps_dev_key_decrypted.pem
openssl rsa -in aps_prod_key.pem -out aps_prod_key_decrypted.pem

You can now cat the files (cat aps_dev_key_decrypted.pem etc) and see there contents. Enter these where necessary and you're good to go.

We made it. See you next year folks.


P.S. I use to test everything works.

© Krishan Patel 2015.