I am new to iPhone and need to generate certificate for my first app which supports APNS. I went through this and this site for help and i also am able to create the certificate but as soon as i append the certificate in my application on Xcode it gives me warning like
"profile doesn't match any valid certificate private key pair in the
default keychain"
I was been given a p12 certificate for development but now i am confused whether i need to use the same certificate or need to generate a new one for a new application? I know this question is asked many a time but i am really stuck at the point.
Kindly show me a path. Thanks in advance.
Make a new certificate request from the keychain tools. Upload that to the provisioning site and download the resulting certificate. Remember, the private key that corresponds to the certificate is embedded within the certificate request, so don't delete it before you export the private key.
Got the solution for the same problem,as i told i already went through all the steps but as per my knowledge what the problem was that the private key given to me was been generated through a windows os and hence was giving some problem. As a solution i deleted the development certificate and created again and solved the issue.Thanks bdares for the help.
Related
I am using certs from an issuer called AlphaSSL. I just recently realised that my pages shows invalid certificate error on pageload. Further investigation shows that the intermediate certificate that binds my cert to GlobalSign's root certificate has been revoked. I checked and there is a new intermediate certificate on their site but I am not sure I should download it as their download page is secured with the same revoked certificate.
UPDATE:
I got a boilerplate email from support, they reckon clearing the CRL cache should fix the issue. I wonder though, is this really doable, can they 'unrevoke' the certificate? How can I check their revocation list and how can I force the propagation of the undo to my CRL (other than clearing the cache)?
UPDATE2:
I received another email that references this page. Long story short, they are busy shoveling the sh*t back to the horse, browser ubiquity yaddda-yadda, you should change the iterim cert to a new one, but if you have AlphaSSL or CLoudSSL, then you're sheesh out of luck, no cert for you.
Does not say where to claim your money back.
GlobalSign is currently experiencing issues which results in certificates being marked as revoked:
https://twitter.com/globalsign/status/786505261842247680
I got a reply from their support staff:
Hello,
Thank you for getting in touch with the GlobalSign Support Team
We thank you for bringing this to our attention. We are aware of the
issue you described and are in the process of investigating the matter
further.
We would like to ask for the below details so we can provided these to
the team investigating the issue.
Operating system & version: Browsers & version:
For the latest updates on the issue, please follow the below link:
https://twitter.com/gssystemalerts
We will let you know as soon as the issue has been resolved.
Thanks.
Best Regards, Janice Tablarin GlobalSign Support Team
Some boilerplate response, I reckon. If the trust has gone from the cert that signed a zillion other certs, then its not a cliient/browser issue.
This is a follow up to this issue HERE.
After creating new ssl certificates, I created new certs specfically for PayPal use. I have three certficates in play for PayPal which are the private key set to 440, public key set to 644, and PayPal key that I downloaded after uploading the public key, and that key is also set to 644. I also copied over the Cert ID.
All keys are being used as proven by my logging, however I am getting the infamous:
"We were unable to decrypt the certificate id"
There shouldn't be any copy paste issues (as I've seen others discuss) since I downloaded and uploaded everything without needing to copy/paste anything.
I am miffed at to what could be the problem. Any ideas?
This is resolved. The issue was just a configuration mis-step. I still wonder why and wonder if it is safe to allow a www-data readable on one of the private keys.
I need to sign an enterprise Windows Store app I've developed ,so that users can sideload it into their devices.
I'm in the process of obtaining a code signing certificate from GoDaddy. A lot of the next steps are still hazy for me - any additional details will be appreciated.
What I've done so far
The application is tested, and I was able to deploy it on machines that have a developer license.
Purchased a code signing certificate from Daddy but didn't know what to do next (based on past experience I thought I needed to generate a key pair and a certificate signing request on my developer machine)
Called GoDaddy support who said I actually need a driver signing certificate rather than a code signing certificate. The cost was the same so they instantly switched my purchase.
It turns out there is an automatic process for generating a CSR on Windows, but you have to use Internet Explorer for that. Apparently, the cryptographic stuff is somehow handled transparently by Internet Explorer and the GoDaddy website. I would love to know more about what is actually going on there.
As part of the process you need to provide the legal name and official address / phone of the software publisher (my client in this case).
Once you submit the request, it has to be approved by GoDaddy (who should somehow verify that I am authorized by the publisher to sign code on its behalf).
Next steps
I assume GoDaddy will need to receive some documents from the publisher. I'd love to know how that process works and how long it takes.
Once the certificate is issued, I expect there will again be some easy way to install it on my development machine. Question: is there a way to move the keys and the certificate to another machine?
I also expect Visual Studio (I'm using 2012 Express edition for Windows 8) to be able to use the certificate when creating app packages. Will I need to do some special setup for that or will it be straightforward (part of the "Create app package" wizard) ?
Some of the details I've put on the certificate signing request will eventually be visible on the actual certificate (visible to the persons installing the application). Which ones?
After completing the process here are my own answers:
It turns out the GoDaddy support representative was wrong when
advising me to use a driver signing certificate. I needed a code signing certificate.
The certificate does not show the details of the contact person (which are included in the certificate signing request). You can see the certificate details before you submit the request (I missed it initially). In my case the details shown are the company name, city, state and country.
The documentation requirements depend on the company requesting the certificate (in some cases they may not need any documents at all). GoDaddy has very friendly support, so you should can the requirements from them. The process can take a few days to complete (but they may be able to help in doing it faster).
When using Internet Explorer both for the certificate request phase and installation phase, the process is seamless. I believe it uses Microsoft's Certificate Enrollment API (which is also described in this MSDN blog post)
As mentioned by JP Alioto, the process for using the certificate is described in the article "Signing an app package (Windows Store apps)". To use the new certificate in a specific project:
Open the projects .appxmanifest file
Go to the "Packaging" tab
Next to the publisher field, click "Choose Certificate"
In the dialog that pops up click "Configure Certificate" and select the drop down option "Pick from certificate store ..". The certificate should be available as one of the options.
To export a certificate, you can use the following process:
Run certmgr.msc
Locate the certificate
Right-click > All Tasks > Export to launch the certificate export wizard, which has an option to export the private key
Warning: the private key is supposed to be personal and you should protect it. It is probably OK if you copy it to another machine that you control (assuming nobody can snatch it in transit). Sharing it with someone else may be risky. I was not able to find information about how exactly the private key is used by Windows, but it may be a bad idea to have several people share a private key.
To import the certificate and private key from a PFX file, right click on the file in Windows Explorer, and elect "Install PFX". This will launch a straight-forward "Certificate Import Wizard".
Lots of stuff there. :) There are are few documents you need to read:
Deploying Metro style apps to businesses
How to Add and Remove Apps
Signing an app package (Windows Store apps)
Reading and understanding these documents will give you a better idea of what's going on. Are you sure the enterprise you're deploying for does not already have a trusted root certificate that they deploy to their desktop images? If they do, it may be easier to use that private key to sign the app. (The only reason a public certificate authority is recommended is that you will then not have to deploy the certificate to the target machines.)
You can move certificates (and private keys unfortunately) in the evil PFX format which is basically a PKCS #12 portable key file. But, be very careful how you move that file around. It contains both your public key and your encrypted private key.
I have created my own key (public/private) via keychain access.
But my company already have created a provisioning profile and developer certificate,which i downloaded (after logging) and installed it in my Xcode and iPhone as well.
But when i try to run on iPhone,it says "There are no valid certificate/private key pairs in the default keychain".
I have also set bundle identifier name correctly in info.plist,but what am i doing wrong?
Is it that i should somehow add my own mac key pairs to somewhere as to match it since it is already created by company?
Could anyone help or suggest where m i going wrong,i have searched forums they all are simply not matching my problem and misleading other ways.
Thankx in advance.
You need the private key for the developer certificate that you have downloaded. The error "There are no valid certificate/private key pairs in the default keychain" means you don't have the private key.
You say "my company already have created a [...] developer certificate", which sounds like they have created a developer certificate for you. If that is the case, they need to send you the private key because you won't have this by default.
Generally it should be up to each individual developer to make a certificate signing request and gerenate the development certificate in the provisioning portal. There's no reason for the company to do that for you.
I currently have a wildcard SSL certificate running on IIS 6 and needs to be renewed. The new certificate bit-strength is now 2048 (the current one that needs to be renewed is 1024). Is there any easy way to get a certificate request file that is 2048 bit when renewing from a 1024?
I don't see the option to change bit strength for renewing an SSL certificate (I only see this when creating a totally new one from scratch).
I recently had to do this very same thing, and the way I did it was I had to remove the current certificate completely, then add a new certificate fresh, otherwise, I could not figure out how to update the CSR from 1024 to 2048, which is now a requirement.
So, to answer your question, remove the current certificate first (this might be tricky if it's a busy online store), then go through the wizard and switch the CSR from 1024 to 2048.
Not the best answer, I know, but the only one I could seem to find right off (and the easiest)
Be warned about trying to get clever with this one. I just got myself in a big mess trying to do exactly this same thing without any downtime.
What I did was :
create another website and generate a cert request for that. made sure to put in the correct common name when generating the request.
I downloaded the certificate that was generated and installed it in my 'Personal' certificates for the Local Computer account (after adding certificate snap in).
Did 'replace' on the main website for the certificate and chose the new updated one.
I ended up getting this error (as reported by Chrome) when accessing the https site.
(net::ERR_SSL_PROTOCOL_ERROR): Unknown error
After playing around and switching back to the original certificate I ended up just removing it and re-keying the certificate. It only led to 1-2 minutes of downtime.
I do think that if you do what I was attempting in the correct order you'd be fine. I think you need to export the .pfx file and then import that. I think whats happening is the original server didnt have the correct private key or something like that and was getting confused.
So I'm upvoting calweb :-)