Sasha Sasha - 2 months ago 23
iOS Question

AWS/Apple Push certificate -- error setting private key

I'm attempting to follow these instructions to set up my S3 API to send push notifications to my iOS app.

I'm making a mess of the certificate issues, so I was hoping someone could help sort me through them.

So far, I've created a CSR, uploaded it to Apple Dev portal, and downloaded a

.cer
file. I then converted the
cer
into a
pem



openssl x509 -in apns-dev.cer -inform DER -out apns-dev.pem



Then I ran into the instruction to "Open Keychain Access, select Keys, and then highlight your app private key." Not knowing what my "app private key" was, I've tried a couple things:


  1. Grabbing the preexisting private-key file in the app's cert folder (an RSA private key which was not, to my knowledge, used to generate the above CSR).

  2. Exporting my default system private key as a
    p12
    and then converting it, per AWS instructions, into a
    pem
    key.

  3. Trying to generate a new CSR directly from my system private key in Keychain Access



However, whenever I follow the instructions to "test" the private/public key pair (
openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert apns-dev.pem -key apns-private.pem
), I get this:

error setting private key
41047:error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-59.60.1/src/crypto/x509/x509_cmp.c:406:


I've looked at the following questions, but haven't been able to use their answers to figure this out:



Any idea what could be going on? I'm just shooting in the dark here.

Answer

Don't use Apple's instructions to generate the CSR.

  1. Generate key:

    openssl genrsa -out $app.key 2048
    
  2. Generate CSR:

    openssl req -new -key $app.key -out $app.csr
    

    And enter the relevant data.

  3. Upload CSR to Apple. Download certificate.

  4. Convert certificate to PEM:

    openssl x509 -inform DER -in $app.cer -out $app.pem
    

Now you have the key in $app.key, and a PEM-encoded certificate in $app.pem. You can then install both on the box that will be connecting to APNS (depending on the software you use, they might be separate files, or you may just append the key to the certificate file).