Why do I get this message by Production APNS certificate?
"The certificate environment did not match. Ensure that you got the right development or production APNS certificate."
What is exactly 'The certificate environment'?
Development APNS certificate makes no problem.
I don't get it.
I had the same issue and here's what I did to solve.
The issue was because I generate both Development APNS Certificate and Production APNS Certificate using the same certificate signing request file (the file that you got from Keychain Access > Certificate Assistant > Request a Certificate From a Certificate Authority). Apparently, the certificate signing request file should not be the same.
To solve this problem:
Create a new certificate signing request (Keychain Access > Certificate Assistant > Request a Certificate From a Certificate Authority)
From the Push Notification section of your app, Create Certificate using the .certSigningRequest file you just created
Re-upload the .p12 to GCM
Reference:
http://blog.hypermkt.jp/uploading-certificate-for-google-cloud-messaging-for-ios/
How to generate valid APNS Certificate (.p12) for use in GCM for iOS?
Had the same issue!
While exporting from Keychain right click on Certificate itself not on the Private Key inside of it.
Related
I'm developing a Docusign integration with a sandbox account, in my server I have no certificate because it's just a development environment. The API works fine there. But when I uploaded the Docusign feature in a test server, which has a certificate, the API returns the following message:
Caught exception: SSL certificate problem: self signed certificate in
certificate chain
I checked the CA in the Microsoft Trusted Root Certificate Program and it isn't there, so maybe this is the problem. But if that's the case, shouldn't the API have returned a different message? I'm positive the server certificate isn't a self signed one, but is there a way to double check that? What should I do about the server certificate?
You will have to get the DocuSign certificate installed on your test server.
You can find all of DocuSign certificates here - https://www.docusign.com/trust/compliance/public-certificates
Situation: we can't update der file on the client's device. And the SSL certificate on our web server expires soon.
Is it possible to renew the server's SSL certificate without replacing the client's certificate?
We want to follow this guide: https://www.smashingmagazine.com/how-to-issue-a-new-ssl-certificate-with-an-old-ssl-key/
However, we are not sure if it helps.
The question is:
Does the der file (on the client side) contain only public key and it is safe to renew SSL certificate using the technique described in the link above (keeping same pub/private keys).
Will it work on client's device without replacing der file? Or der file contains not only the public key for SSL certificate but also some other information?
I'm afraid, but based on your original post and clarifications, client will expect from web server the same server certificate as stored in DER file on client device. Client performs exact binary copy comparison (not only public keys).
Any attempts to replace server certificate will result in a connection failure on client. If you plan to replace the certificate on web server, you will have to update client devices as well.
Unfortunately, there are a lot of flawed HPKP implementations (to be honest, didn't see any reliable implementation) that work fine until server certificate is changed. In order to properly handle server certificate replacement, client MUST be able to store at least two server certificates, existing and new one. Here is the high-level server certificate replacement process:
acquire new server certificate from CA in advance.
make application update by including new certificate side-by-side. When client updates the application on their device, client app will trust both, existing and new certificate.
give clients a time to make app update on their devices. Ideally, you should wait until all clients have updated app version with updated certificate.
change SSL certificate in server bindings.
after aa time you can make another update for client certificate by removing expired certificate from trust store.
only this step sequence may guarantee uninterrupted certificate pinning renewal.
I am trying to use SSL with my webapi published using IIS.
I've enabled SSL in webapi project by setting SSL ENABLED to TRUE.
On the local pc I've created a self signed certificate, which gets issued to MyPcNameHere/MyCompanyDomainHere. (not sure if that matters)
now if I browse to webpage in chrome/mozilla I get a warning... your connection is not secure. Mozilla's error is THE CERTIFICATE IS NOT TRUSTED BECAUSE IT IS SELF SIGNED.
What are my options here for handling this? (when I get this warning is the connection truly not secure? Or is it purely a warning that the certificate is self signed?)
I don't mind getting a third party certificate, but when I tried it wanted me to verify I own domain. This myPc/myDomain is inside a company firewall so I don't see how I could obtain a certificate.
any suggestions?
You get that error (warning actually) because you're using a self signed certificate, which your browser doesn't recognize.
Your options are:
obtain a certificate issued by a trusted provider (the root certificate of the issuer will be present in the trusted root certificates store of your browser/system
make the browser trust your self signed certificate (here's a guide for Chrome, I didn't find any for Mozilla - you have to just add a permanent exception)
Now, if you're using this only for a test, you can get the browser to trust your self signed certificate.
If you're in a company network, and you have the resources, you might consider setting up a local CA, which you then may use to issue certificates for testing machines on the Intranet, or for you dev environment. You will of course deploy the root certificate on all machines' trusted certificate store.
If you're going live with this (production machine accessible over the Internet), you have to really consider a provider.
I am trying to sign one of my WIX EXEs using sign tool. When I create a certificate and install it to windows certificate store, I can easily verify the EXE using sign tool. But when I try to create a PFX file and sign it, it gets signed successfully. But when I try to verify it, it throws the below error.
SignTool Error: WinVerifyTrust returned error: 0x800B010A
A certificate chain could not be built to a trusted root authority.
Number of errors: 1
I tried using a certificate chain and signing using the commands mentioned in the answer of https://social.msdn.microsoft.com/Forums/sqlserver/en-US/da5d1aef-5dbc-4400-8972-fef4d7139d99/where-windows-sdk-tools-like-cert2spcexe-and-pvk2pfxexe-go?forum=windowssdk. But that results in the same error as well. My requirement is to sign and verify using a PFX file using signtool. I cannot use Windows Store. Any help would be much appreciated.
The method described in http://msdn.microsoft.com/en-us/library/ff699202.aspx creates a self signed test certificate. A self signed test certificate is not signed by a trusted 3rd party, so you get the error "A certificate chain could not be built to a trusted root authority." when trying to verify the file signed by the certificate.
If you want to fix the error you will need to obtain a code signing certificate from a certificate authority. Usually for a fee.
When you purchase a code signing certificate, the certifying authority takes certain steps to verify your identity. If those steps are passed, the certifying authority issues you a certificate signed by their private key. Their private key is kept secret. When you verify the signed file, the verification process extracts the code signature from the signed file and validates it against one of the known public keys provided by all of the certifying authorities.
If I use SSL for my app to communicate with my server, can I use any SSL certificate, like those issued by goDaddy? I understand the reason people buy Verisign certificates(which are terribly expensive) is that they are supported by all browsers. But if I have no browser component, and the communication is between my app and my services, can I go for a cheaper one?
How SSL works
The Goal of SSL Certificates is to ensure no Man In the Middle is earsdropping on your encrypted communication. When your app is connecting to your server, your server therefore presents a certificate which tells, that the used encryption key really belongs to your server. This certificate is cryptographicly signed by a trusted party, such that the man in the middle can not forge such a certiifcate. Your app has to know the cryptographic key of the trusted party in advance to verify this signature.
Use godaddy certificates
You can use any certificate made by a trusted party which is known by your app. If you include the godaddy cryptographic key (called root certificate) in your app you can use godaddy certificates.
Use your own zero cost certificate
For you and your app, you yourself can be a trusted party for certificate signing. You can use your own self generated certificate without paying anyone for it. You only need to include your own certificate in your app. You can find a tutorial on how to generate a self signed certificate at http://www.akadia.com/services/ssh_test_certificate.html .