I have created my own key (public/private) via keychain access.
But my company already have created a provisioning profile and developer certificate,which i downloaded (after logging) and installed it in my Xcode and iPhone as well.
But when i try to run on iPhone,it says "There are no valid certificate/private key pairs in the default keychain".
I have also set bundle identifier name correctly in info.plist,but what am i doing wrong?
Is it that i should somehow add my own mac key pairs to somewhere as to match it since it is already created by company?
Could anyone help or suggest where m i going wrong,i have searched forums they all are simply not matching my problem and misleading other ways.
Thankx in advance.
You need the private key for the developer certificate that you have downloaded. The error "There are no valid certificate/private key pairs in the default keychain" means you don't have the private key.
You say "my company already have created a [...] developer certificate", which sounds like they have created a developer certificate for you. If that is the case, they need to send you the private key because you won't have this by default.
Generally it should be up to each individual developer to make a certificate signing request and gerenate the development certificate in the provisioning portal. There's no reason for the company to do that for you.
Related
This is a follow up to this issue HERE.
After creating new ssl certificates, I created new certs specfically for PayPal use. I have three certficates in play for PayPal which are the private key set to 440, public key set to 644, and PayPal key that I downloaded after uploading the public key, and that key is also set to 644. I also copied over the Cert ID.
All keys are being used as proven by my logging, however I am getting the infamous:
"We were unable to decrypt the certificate id"
There shouldn't be any copy paste issues (as I've seen others discuss) since I downloaded and uploaded everything without needing to copy/paste anything.
I am miffed at to what could be the problem. Any ideas?
This is resolved. The issue was just a configuration mis-step. I still wonder why and wonder if it is safe to allow a www-data readable on one of the private keys.
I need to sign an enterprise Windows Store app I've developed ,so that users can sideload it into their devices.
I'm in the process of obtaining a code signing certificate from GoDaddy. A lot of the next steps are still hazy for me - any additional details will be appreciated.
What I've done so far
The application is tested, and I was able to deploy it on machines that have a developer license.
Purchased a code signing certificate from Daddy but didn't know what to do next (based on past experience I thought I needed to generate a key pair and a certificate signing request on my developer machine)
Called GoDaddy support who said I actually need a driver signing certificate rather than a code signing certificate. The cost was the same so they instantly switched my purchase.
It turns out there is an automatic process for generating a CSR on Windows, but you have to use Internet Explorer for that. Apparently, the cryptographic stuff is somehow handled transparently by Internet Explorer and the GoDaddy website. I would love to know more about what is actually going on there.
As part of the process you need to provide the legal name and official address / phone of the software publisher (my client in this case).
Once you submit the request, it has to be approved by GoDaddy (who should somehow verify that I am authorized by the publisher to sign code on its behalf).
Next steps
I assume GoDaddy will need to receive some documents from the publisher. I'd love to know how that process works and how long it takes.
Once the certificate is issued, I expect there will again be some easy way to install it on my development machine. Question: is there a way to move the keys and the certificate to another machine?
I also expect Visual Studio (I'm using 2012 Express edition for Windows 8) to be able to use the certificate when creating app packages. Will I need to do some special setup for that or will it be straightforward (part of the "Create app package" wizard) ?
Some of the details I've put on the certificate signing request will eventually be visible on the actual certificate (visible to the persons installing the application). Which ones?
After completing the process here are my own answers:
It turns out the GoDaddy support representative was wrong when
advising me to use a driver signing certificate. I needed a code signing certificate.
The certificate does not show the details of the contact person (which are included in the certificate signing request). You can see the certificate details before you submit the request (I missed it initially). In my case the details shown are the company name, city, state and country.
The documentation requirements depend on the company requesting the certificate (in some cases they may not need any documents at all). GoDaddy has very friendly support, so you should can the requirements from them. The process can take a few days to complete (but they may be able to help in doing it faster).
When using Internet Explorer both for the certificate request phase and installation phase, the process is seamless. I believe it uses Microsoft's Certificate Enrollment API (which is also described in this MSDN blog post)
As mentioned by JP Alioto, the process for using the certificate is described in the article "Signing an app package (Windows Store apps)". To use the new certificate in a specific project:
Open the projects .appxmanifest file
Go to the "Packaging" tab
Next to the publisher field, click "Choose Certificate"
In the dialog that pops up click "Configure Certificate" and select the drop down option "Pick from certificate store ..". The certificate should be available as one of the options.
To export a certificate, you can use the following process:
Run certmgr.msc
Locate the certificate
Right-click > All Tasks > Export to launch the certificate export wizard, which has an option to export the private key
Warning: the private key is supposed to be personal and you should protect it. It is probably OK if you copy it to another machine that you control (assuming nobody can snatch it in transit). Sharing it with someone else may be risky. I was not able to find information about how exactly the private key is used by Windows, but it may be a bad idea to have several people share a private key.
To import the certificate and private key from a PFX file, right click on the file in Windows Explorer, and elect "Install PFX". This will launch a straight-forward "Certificate Import Wizard".
Lots of stuff there. :) There are are few documents you need to read:
Deploying Metro style apps to businesses
How to Add and Remove Apps
Signing an app package (Windows Store apps)
Reading and understanding these documents will give you a better idea of what's going on. Are you sure the enterprise you're deploying for does not already have a trusted root certificate that they deploy to their desktop images? If they do, it may be easier to use that private key to sign the app. (The only reason a public certificate authority is recommended is that you will then not have to deploy the certificate to the target machines.)
You can move certificates (and private keys unfortunately) in the evil PFX format which is basically a PKCS #12 portable key file. But, be very careful how you move that file around. It contains both your public key and your encrypted private key.
I am having a strange problem which I've googled and googled with no result. I'm attempting to setup a certificate for a wcf service application on windows server 2008 R2. I've imported the certificate into the localmachine personal store, and I'm getting the dreaded
"Keyset does not exist...the certificate ... must have a private key that is capable of key exchange. The process must have access rights for the private keys."
I have tried to set the permissions on the private key, using the "Manage private keys" option in mmc, also tried setting the permissions on the private key file manually that is located in C:\programdata\microsoft\crypto\rsa\machinekeys. I verified I'm modifying the right file by using the findprivatekeys tool, and also tried using the WSE X.509 Certificate tool. For sanitys sake, I even gave read access to "Everyone" on the file, still doesn't work.
Is there something I'm missing here? I'm using IIS7 and I normally give access to the file for the IIS_IUSRS group. All of this has worked fine in other testing on VMs. I've even used the exact same certificate on other machines, and they work there...
I'm lost...The one thing I've noticed is that if I edit the permissions in the 'manage private keys' dialog, the security settings changes don't reflect when I look at the permissions for the file, and vice versa. Where else could the file be? Regardless, I gave max permissions from both places with no luck.
Not sure what was going on here, but over the course of testing, the permissions on the MachineKeys folder was drastically modified - so I removed permissions for all the users listed there except the Administrators group, deleted the problem certificate (through mmc) and re-imported it again. Then, I added IIS_IUSRS read and execute permission only for that private key, and I seem to be back up.
On a related note, I was using aspnet_regiis -pi to import a key pair for something else, which was failing with "Safe handle was closed." Fixing the permissions on the MachineKeys folder fixed that as well...
I am new to iPhone and need to generate certificate for my first app which supports APNS. I went through this and this site for help and i also am able to create the certificate but as soon as i append the certificate in my application on Xcode it gives me warning like
"profile doesn't match any valid certificate private key pair in the
default keychain"
I was been given a p12 certificate for development but now i am confused whether i need to use the same certificate or need to generate a new one for a new application? I know this question is asked many a time but i am really stuck at the point.
Kindly show me a path. Thanks in advance.
Make a new certificate request from the keychain tools. Upload that to the provisioning site and download the resulting certificate. Remember, the private key that corresponds to the certificate is embedded within the certificate request, so don't delete it before you export the private key.
Got the solution for the same problem,as i told i already went through all the steps but as per my knowledge what the problem was that the private key given to me was been generated through a windows os and hence was giving some problem. As a solution i deleted the development certificate and created again and solved the issue.Thanks bdares for the help.
I'd like to understand some of the best practices with respect to code signing. We have an Eclipse-based application and think it would be appropriate to sign our plug-ins. This raised a lot of questions:
Can/Should the private key be in
source control?
Should we sign the code as part of
our nightly build process or as part
of our release process?
Should the code be signed
automatically, or is there a reason
why that should be a manual step?
My inclination is to say, "Yes", "Nightly", and "Automatically", but I could see an argument for only signing the release products. I might even make the argument that SQA should sign the code after they have verified it, although that would really mess with our release process.
How do other people manage this?
It depends on how secure you want your private key to be, it might not be something that you want a temporary employee with source access to have full access to.
At my work, we do the following:
"Test sign" binaries as part of our daily builds with a checked in key. This requires a test root certificate to be on machines in order to trust the binaries, but they will not be trusted if the bits are deployed outside the company.
Weekly (and for external releases), we sign with the real key. This is done via a separate, somewhat manual process. Only a few people have access to the key to sign the product.
I can tell you how I've see this being done in a big corp. Individual developers could build the code, but they could not sign it. That would be a private build. Contiguos integration machine would drop nightly builds signed with a key stored on the build machine keystore, which would be a test key signed by a corporate certificate authority (ie. a key trusted only within the corp). The official build could be signed only by controlled machines with the official, global trusted authority signed, signature key stored in hardware modules in controled access room.
The idea is that a private key should realy have only one copy in the world (at most one extra for escrow). The whole value of the key is derived from its privacy, not from anything else. The moment is available to your entire org, is as good as putting it out on pirate bay.