Sasha Sasha - 16 days ago 5x
iOS Question

AWS/Apple Push certificate -- error setting private key

I'm attempting to follow these instructions to set up my S3 API to send push notifications to my iOS app.

I'm making a mess of the certificate issues, so I was hoping someone could help sort me through them.

So far, I've created a CSR, uploaded it to Apple Dev portal, and downloaded a

file. I then converted the
into a

openssl x509 -in apns-dev.cer -inform DER -out apns-dev.pem

Then I ran into the instruction to "Open Keychain Access, select Keys, and then highlight your app private key." Not knowing what my "app private key" was, I've tried a couple things:

  1. Grabbing the preexisting private-key file in the app's cert folder (an RSA private key which was not, to my knowledge, used to generate the above CSR).

  2. Exporting my default system private key as a
    and then converting it, per AWS instructions, into a

  3. Trying to generate a new CSR directly from my system private key in Keychain Access

However, whenever I follow the instructions to "test" the private/public key pair (
openssl s_client -connect -cert apns-dev.pem -key apns-private.pem
), I get this:

error setting private key
41047:error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:/BuildRoot/Library/Caches/

I've looked at the following questions, but haven't been able to use their answers to figure this out:

Any idea what could be going on? I'm just shooting in the dark here.


Don't use Apple's instructions to generate the CSR.

  1. Generate key:

    openssl genrsa -out $app.key 2048
  2. Generate CSR:

    openssl req -new -key $app.key -out $app.csr

    And enter the relevant data.

  3. Upload CSR to Apple. Download certificate.

  4. Convert certificate to PEM:

    openssl x509 -inform DER -in $app.cer -out $app.pem

Now you have the key in $app.key, and a PEM-encoded certificate in $app.pem. You can then install both on the box that will be connecting to APNS (depending on the software you use, they might be separate files, or you may just append the key to the certificate file).