Flipkart Search

Search This Blog

Saturday, November 7, 2009

Generate Apple Push Notification Certificate

Generating a Certificate Signing Request

To request an iPhone Development Certificate, you first need to generate a Certificate Signing Request (CSR) utilizing the Keychain Access application in Mac OS X Leopard. The creation of a CSR will prompt Keychain Access to simultaneously generate your public and private key pair establishing your iPhone Developer identity. Your private key is stored in the login Keychain by default and can be viewed in the Keychain Access application under the ‘Keys’ category. To generate a CSR:
  1. In your Applications folder, open the Utilities folder and launch Keychain Access.
  2. In the Preferences menu, set Online Certificate Status Protocol (OSCP) and Certificate Revocation List (CRL) to “Off”.
    Keychain Access Preferences
  3. Choose Keychain Access -> Certificate Assistant -> Request a Certificate from a Certificate Authority. Note: If you have a noncompliant private key highlighted in the Keychain during this process, the resulting Certificate Request will not be accepted by the Program Portal. Confirm that you are selecting “Request a Certificate From a Certificate Authority...” and not selecting “Request a Certificate From a Certificate Authority with …”

    Request a Certificate

  4. In the User Email Address field, enter your email address. Please ensure that the email address entered matches the information that was submitted when you registered as an iPhone Developer.
  5. In the Common Name field enter your name. Please ensure that the name entered matches the information that was submitted when you registered as an iPhone Developer.
  6. No CA (Certificate Authority) Email Address is required. The ‘Required’ message will be removed after completing the following step.
  7. Select the ‘Saved to Disk’ radio button and if prompted, select ‘Let me specify key pair information’ and click ‘Continue’.
    Certificate Information

  8. If ‘Let me specify key pair’ was selected, specify a file name and click ‘Save’. In the following screen select ‘2048 bits’ for the Key Size and ‘RSA’ for the Algorithm. Click ‘Continue’.
    Key Pair Information

  9. The Certificate Assistant will create a CSR file on your desktop.

Submitting a Certificate Signing Request for Approval

  1. After creating a CSR, log in to the iPhone Developer Program Portal and navigate to ‘Certificates’ > ‘Development’ and click ‘Add Certificate’.
  2. Click the ‘Choose file’ button, select your CSR and click ‘Submit’. If the Key Size was not set to 2048 bits during the CSR creation process, the Portal will reject the CSR.
  3. Upon submission, Team Admins will be notified via email of the certificate request.
  4. Once your CSR is approved or rejected by a Team Admin, you will be notified via email of the change in your certificate status.
    Submit Certificate Signing Request

Approving Certificate Signing Requests

  1. After submitting a CSR for approval, Team Admins will be directed to the ‘Development’ tab of the ‘Certificates’ section. Here, CSRs can be approved or rejected by clicking the corresponding action next to each request.
  2. Once a CSR is approved or rejected, the requesting Team Member is notified via email of the change in their certificate status. Each iPhone Development Certificate is available to both the Team Member who submitted the CSR for approval and to the Team Admin(s).
    Downloading and Installing Development Certificates

Downloading and Installing Development Certificates

  1. In the ‘Certificates’ > ’Distribution’ section of the Portal, control-click the WWDR Intermediate Certificate link and select “Saved Linked File to Downloads” to initiate download of the certificate.
  2. On your local machine, double-click the WWDR Intermediate certificate to launch Keychain Access and install.
  3. Upon CSR approval, Team Members and Team Admins can download their certificates via the ‘Certificates’ section of the Program Portal. Click ‘Download’ next to the certificate name to download your iPhone Development Certificate to your local machine.
  4. On your local machine, double-click the downloaded .cer file to launch Keychain Access and install your certificate.
  5. Team Members can only download their own iPhone Development Certificates. Team Admins have the authority to download the public certificates of all of their Team Members. Apple never receives the private key for a CSR. The private keys are not available to anyone except the original key pair creator and are stored in the system keychain of that Team Member.
    Keychain Access - Add Certificate
    Keychain Access - Certificate Issued

Generating an App ID

  1. Team Agents or Team Admins should navigate to the ‘App ID’ section of the Program Portal.
  2. Click ‘Add ID’.
  3. Enter a common name for your App ID. This is a name for easy reference and identification within the Program Portal.
  4. Enter a Bundle Identifier in the free-form text field. The recommended usage is a reverse-domain name style string, e.g., com.domainname.applicationname. For a suite of applications sharing the same Keychain access, you should use a wild-card character in the Bundle Identifier (e.g. com.domainname.* or *). This Bundle Identifier will need to match whatever CF Bundle Identifier you use for your application in Xcode.
  5. You need to create an App ID without .* in the iPhone developer Portal. An App ID without .* means its unique and works only for a single application(for Push-Notification).
  6. Click ‘Submit’. At this time, the 10 character Bundle Seed ID is generated and concatenated with the Bundle Identifier you entered. This resulting string is your App ID. Note: The Bundle Seed ID does not need to be entered into Xcode.
    Create App ID

  7. Generate a new App ID for each set of applications with shared Keychain Access needs. If you are creating a suite of applications that will share the same Keychain access (e.g. sharing passwords between applications) or have a set of applications with no Keychain Access requirements, create a single App ID for all applications utilizing a trailing asterisk as a wild-card character.

Registering an App ID for Apple Push Notification service

  1. In the App ID section of the Program Portal, locate the App ID you wish to use with the Apple Push Notification service. Only App IDs with a specific bundle ID can be used with the APNs. You cannot use a “wild-card” application ID. You must see “Available” under the Apple Push Notification service column to register this App ID and configure a certificate for this App ID.
  2. Click the 'Details' link next to your desired App ID.
  3. In the Configure App ID page, check the Enable Push Notification Services box and click the Configure button. Clicking this button launches the APNs Assistant, which guides you through the next series of steps that create your App ID specific Client SSL certificate.

  4. Download the Client SSL certificate file to your download location. Navigate to that location and double-click the certificate file (which has an extension of cer) to install it in your keychain.
  5. When you are finished, click Done in the APNS Assistant.
  6. Double-clicking the file launches Keychain Access. Make sure you install the certificate in your login keychain on the computer you are using for provider development. The APNs SSL certificate should be installed on your notification server.
  7. When you finish these steps you are returned to the Configure App ID page of the iPhone Dev Center portal. The certificate should be badged with a green circle and the label “Enabled”.
  8. To complete the APNs set-up process, you will need to create a new provisioning profile containing your APNs-enabled App ID.

Creating a Development Provisioning Profile

  1. In the ‘Provisioning’ section of the Portal, Team Admins should click 'Add' on the Development tab.
  2. Enter a name for the provisioning profile.
  3. Specify which devices will be associated with the provisioning profile. You must specify a device in order for that device to utilize the provisioning profile. If a device's UDID is not included in the provisioning profile the profile and your application cannot be installed on that device.
  4. Specify which iPhone Development Certificates will be associated with the provisioning profile. You must specify an iPhone Development Certificate in order for the application code signed with that same certificate to run on the device.
  5. Specify a single App ID for the Development Provisioning Profile. Each Development Provisioning Profile can specify only ONE App ID, therefore, if you have applications requiring different Keychain access, you will need to create a separate Development Provisioning Profile for each of those applications. If you are installing a suite of applications with the same required Keychain access or have a set of applications not requiring access to the Keychain, use an App ID containing the wild-card asterisk character to build all of your applications.
  6. Click ‘Submit’ to generate your Development Provisioning Profile.

    Create Development Provisioning Profile

Installing a Development Provisioning Profile

All Team Agents, Admins and Members can download a Development Provisioning Profile from the ‘Provisioning’ section of the Portal after it has been created. Only those developers whose Apple device IDs and iPhone Development Certificates are included in the provisioning profile will be able to install and test their application on their device.
  1. In the ‘Provisioning’ section of the Program Portal, click the download button next to the desired provisioning profile.
  2. Drag the downloaded file onto the Xcode application icon in the dock or into the ‘Organizer’ window within Xcode. This will automatically copy the .mobileprovision file to the proper directory. Alternatively, you can drag the .mobileprovision file onto the iTunes icon in the dock or copy the file to ‘~/Library/MobileDevice/Provisioning Profiles’. If the directory does not exist you will need to create it. Click on the ‘+’ button in the Provisioning section of the Organizer window to install your .mobileprovision file.
    Provisioning Profile in Xcode
    Provisioning Profile in Finder

Building and Installing your Development Application

Now that you have an approved iPhone Development Certificate, an assigned Apple device and a properly installed Development Provisioning Profile, Xcode can now build your application and install it on your development device. If you have a single iPhone Development Certificate and iPhone Development Provisioning Profile, you don’t need to change any settings in Xcode to start running your applications. To compile and install your code:
  1. Launch Xcode and open your project.
  2. In the Project Window, select ‘Device - iPhone OS’ from the ‘Device | Debug’ drop down menu in the upper-left hand corner.

    Select Device
  3. Highlight the project Target and select the ‘Info’ icon from the top menu bar.
    Select Project Info
  4. In the Target Info window, navigate to the ‘Build’ pane. Click the ‘Any iPhone OS Device’ pop-up menu below the ‘Code Signing Identity’ field and select the iPhone Development Certificate/Provisioning Profile pair you wish to sign and install your code with. Your iPhone Development certificate will be in bold with the Provisioning Profile associated with it in grey above. In the example below, ‘iPhone Developer: Team Leader’ is the Development Certificate and ‘My First Development Provisioning Profile’ is the .mobileprovision file paired with it.
    Select Development Profile
    Note: If the private key for your iPhone Development certificate is missing, or if your iPhone Development certificate is not included in a provisioning profile, you will be unable to select the iPhone Development Certificate/Provisioning Profile pair and you will see the following. Re-installing the private key or downloading a provisioning profile with your iPhone Development certificate included in it will correct this.
    Missing Certificate Error
  5. In the Properties Pane of the Target Info window, enter the Bundle Identifier portion of your App ID. If you have used an explicit App ID you must enter the Bundle Identifier portion of the App ID in the Identifier field. For example enter com.domainname.applicationname if your App ID is A1B2C3D4E5.com.domainname.applicationname. If you have used a wildcard asterisk character in your App ID, replace the asterisk with whatever string you choose.

    Enter the Bundle Identifier

Installing the SSL Certificate and Key on the Server

You should install the SSL distribution certificate and private cryptographic key you obtained earlier on the
server computer on which the provider code runs and from which it connects with the sandbox or production
versions of APNs. To do so, complete the following steps:
1. Open Keychain Access utility and click the My Certificates category in the left pane.
2. Find the certificate you want to install and open its disclosure triangle.
When you open the disclosure triangle, you'll see both a certificate and a private key.
3. Select both the certificate and key,select ExportItems from the File menu,and export them as a Personal
Information Exchange(.p12)file.
4. Copy the.p12 file to the new computer.
5. On Mac OSX and Mac OSX Server systems, double-click the.p12 file to install it in the keychain on the
new computer.
6. If you use a windows based server follow below steps.
7. You have imported the aps_developer_identity.cer to the keychain. Then you have to export these new cert and the private key of this cert (not the public key) and saved as .p12 files.
8. Then you use these commands to generate the cert and key in Mac’s Terminal for PEM format (Privacy Enhanced Mail Security Certificate)
openssl pkcs12 -clcerts -nokeys -out cert.pem -in cert.p12
openssl pkcs12 -nocerts -out key.pem -in key.p12

9. The cert.pem and key.pem files will be used by your own program communicating with APNS.
10. If you want to remove the passphase of private key in key.pem, do this
openssl rsa -in key.pem -out key.unencrypted.pem
Then combine the certificate and key
cat cert.pem key.unencrypted.pem > ck.pem
But please set the file permission of this unencrypted key by using chmod 400 and is only readable by root in a sever configuration.


pRaMoD said...

I didnt found the “‘Certificates’ > ‘Development’ and click ‘Add Certificate’”. I didnt find the Add Certificate button in the certificate. Instead of this I found following content in the Certificates->Development.

You currently do not have a valid certificate Request Certificate

*If you do not have the WWDR intermediate certificate installed, click here to download now.

Any info what does these links means. Actually in the “How to ” section of the site, it shows to upload the csr generated file. I didnt have any option to upload the csr.

Do any one know about this issue…??

Wildcard SSL Certificate said...

Useful material discussed I’m very pleased to go through this post..many thanks with regard to presenting us great info.Excellent walk-through. I truly appreciate this kind of write-up.

Cheapest SSL said...

it's really informative source in concern of SSL certificate security. We really pleased to use it in SSL installation education blog. Thank you so much for sharing it!