如何在没有钥匙串的情况下创建Apple Push证书？

Question

我没有任何可用的OSX设备，但希望启用将推送通知发送到iOS设备（第三方要实施的应用程序）。我的计划是使用Parse作为推送通知服务，他们只有instructions that use Keychain可用。

我尝试了我的运气，但他们的Web应用程序总是拒绝我的请求，而且我可以在网上找到的所有指南仅引用Keychain应用程序。

我最初尝试的命令是：

openssl req -out CSR.csr -new -newkey rsa:2048 -nodes -keyout privateKey.key 

然后，我填写了我提示的所有字段。这是上传CSR至Apple Push Certificates Portal后的结果：

的“正确的格式”链接指向IT management page。

Answer 1

再次遇到KeyChain问题后，我终于花时间再试一次。

@ JWW的做法似乎没什么问题，不知道为什么它没有工作，但是这就是我们现在使用它的工作好：

# Generate a private key 
openssl genrsa -out aps-production.key 2048 
# Generate a signing request 
openssl req -new -sha1 -key aps-production.key -subj '/emailAddress=my@email.address CN=My Certificate Name C=DE' -out aps-production.csr 

确保使用正确的C=XX国家代码在主题。

此外，请注意，在MinGW/MYSYS（用于Windows上的Git Bash），you'll have to escape the subject differently。

Answer 2

如何在没有钥匙串的情况下创建Apple Push证书？

这取决于你想用什么，而是你没有指定要使用的（比不钥匙扣等）是什么。

下面的说明将为您提供CSR，但Apple必须签署并提供证书（如果我正确阅读Programming Apple Push Notification Services）。

---

我想我的运气，但他们的Web应用程序总是拒绝我的请求，并引导所有我能找到的网上仅供参考钥匙扣应用。

原谅我的无知......你有iOS开发者帐户吗？

---

以下是Keychain生成的CSR的外观。从旧的（或者电流）的开发者帐户的（我改变了垃圾堆里的姓名和电子邮件地址）：

$ openssl req -text -in CertificateSigningRequest.certSigningRequest 
Certificate Request: 
    Data: 
     Version: 0 (0x0) 
     Subject: emailAddress=jdoe@example.com, CN=John Doe, C=US 
     Subject Public Key Info: 
      Public Key Algorithm: rsaEncryption 
       Public-Key: (2048 bit) 
       Modulus: 
        00:c4:c7:10:f4:62:74:f3:41:57:b6:1e:c7:23:51: 
        8d:bc:7c:6e:14:52:f3:c9:44:92:46:be:64:10:ec: 
        c8:cf:45:a6:7c:35:09:2d:b7:a0:f9:0b:9c:7a:cb: 
        f9:ba:49:de:cf:fa:0c:d5:5b:cc:cc:02:41:8c:d0: 
        e7:79:57:0a:46:b6:9c:99:b2:ae:3e:0e:a6:35:35: 
        f3:b8:7a:96:0c:25:eb:cf:7e:9a:d3:88:f1:49:ad: 
        80:3d:42:f2:6b:86:a3:1b:5e:34:fa:49:77:ea:f4: 
        e6:3c:af:c5:5d:32:ec:63:fe:c5:e9:ff:0f:f3:42: 
        f6:c0:d9:b5:90:27:ab:57:e2:2d:8b:23:ab:d3:90: 
        3e:40:74:fc:80:a3:ed:70:ec:e2:27:a3:64:fa:f8: 
        f7:28:b2:66:8e:ab:fa:aa:13:a2:53:ba:b4:7e:15: 
        61:a5:79:46:66:c8:d6:3e:0b:37:9a:a7:eb:53:91: 
        3b:fc:d8:52:14:51:99:8e:6e:c6:57:a0:95:d4:4f: 
        f7:1d:fc:66:b2:a2:f1:dd:ff:83:46:2b:09:3e:87: 
        d0:c2:d7:5e:27:0f:ff:78:9f:e8:6a:32:61:54:f0: 
        d1:e8:d1:5c:1c:b5:01:8e:2b:51:04:ac:4a:15:d3: 
        12:3f:71:fb:e3:8d:da:6d:2a:00:9d:06:bd:e8:3e: 
        5b:7d 
       Exponent: 65537 (0x10001) 
     Attributes: 
      a0:00 
    Signature Algorithm: sha1WithRSAEncryption 
     3e:4e:ce:7a:db:16:23:93:60:02:4b:23:6d:a3:46:fb:62:01: 
     18:9e:a6:ce:d7:6e:c9:14:16:47:e8:63:ca:5c:a0:f2:ca:b1: 
     61:6d:72:38:ce:1b:17:ee:f8:51:f8:34:a1:53:25:2c:f1:a2: 
     ed:44:0c:62:ca:d9:14:82:8b:24:5d:0e:ea:38:2d:01:09:65: 
     d8:9e:41:ec:84:fe:ac:f3:cd:d7:df:06:a6:30:fe:12:d8:c6: 
     e5:ed:b0:fc:f3:7a:6d:83:b4:d5:f2:77:4f:75:22:27:15:27: 
     e1:00:ed:70:e5:e8:5d:2f:2a:18:ad:c0:fb:4e:f8:d5:6d:68: 
     1b:0a:44:81:de:5c:1c:07:46:b8:e1:9c:64:c9:9a:14:55:90: 
     00:c0:6b:90:ed:bb:c9:92:50:9c:c1:6f:f6:a0:bf:b4:25:b7: 
     0c:e4:69:b5:30:29:29:f8:3c:a9:0b:b1:37:71:7c:53:d0:45: 
     65:8a:24:34:6f:25:ab:ff:63:cb:8d:a7:62:f9:c8:58:a9:b4: 
     f0:8a:c2:5e:fc:74:06:e2:d5:38:05:d5:4e:ef:67:42:f9:f8: 
     7f:b5:6c:0e:07:31:15:c3:b5:a3:61:fb:be:7d:9c:3c:b0:b4: 
     01:8c:33:e8:86:07:9e:9a:72:af:22:f3:ab:a0:33:1f:f6:5f: 
     43:a1:35:8f 
-----BEGIN CERTIFICATE REQUEST----- 
MIICjjCCAXYCAQAwSTEhMB8GCSqGSIb3DQEJARYSbm9sb2FkZXJAZ21haWwuY29t 
MRcwFQYDVQQDDA5KZWZmcmV5IFdhbHRvbjELMAkGA1UEBhMCVVMwggEiMA0GCSqG 
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDExxD0YnTzQVe2HscjUY28fG4UUvPJRJJG 
vmQQ7MjPRaZ8NQktt6D5C5x6y/m6Sd7P+gzVW8zMAkGM0Od5VwpGtpyZsq4+DqY1 
NfO4epYMJevPfprTiPFJrYA9QvJrhqMbXjT6SXfq9OY8r8VdMuxj/sXp/w/zQvbA 
2bWQJ6tX4i2LI6vTkD5AdPyAo+1w7OIno2T6+PcosmaOq/qqE6JTurR+FWGleUZm 
yNY+Czeap+tTkTv82FIUUZmObsZXoJXUT/cd/GayovHd/4NGKwk+h9DC114nD/94 
n+hqMmFU8NHo0VwctQGOK1EErEoV0xI/cfvjjdptKgCdBr3oPlt9AgMBAAGgADAN 
BgkqhkiG9w0BAQUFAAOCAQEAPk7OetsWI5NgAksjbaNG+2IBGJ6mztduyRQWR+hj 
ylyg8sqxYW1yOM4bF+74Ufg0oVMlLPGi7UQMYsrZFIKLJF0O6jgtAQll2J5B7IT+ 
rPPN198GpjD+EtjG5e2w/PN6bYO01fJ3T3UiJxUn4QDtcOXoXS8qGK3A+0741W1o 
GwpEgd5cHAdGuOGcZMmaFFWQAMBrkO27yZJQnMFv9qC/tCW3DORptTApKfg8qQux 
N3F8U9BFZYokNG8lq/9jy42nYvnIWKm08IrCXvx0BuLVOAXVTu9nQvn4f7VsDgcx 
FcO1o2H7vn2cPLC0AYwz6IYHnppyryLzq6AzH/ZfQ6E1jw== 
-----END CERTIFICATE REQUEST----- 

和：

$ openssl asn1parse -inform PEM -in CertificateSigningRequest.certSigningRequest 
    0:d=0 hl=4 l= 654 cons: SEQUENCE   
    4:d=1 hl=4 l= 374 cons: SEQUENCE   
    8:d=2 hl=2 l= 1 prim: INTEGER   :00 
    11:d=2 hl=2 l= 73 cons: SEQUENCE   
    13:d=3 hl=2 l= 33 cons: SET    
    15:d=4 hl=2 l= 31 cons: SEQUENCE   
    17:d=5 hl=2 l= 9 prim: OBJECT   :emailAddress 
    28:d=5 hl=2 l= 18 prim: IA5STRING   :jdoe@example.com 
    48:d=3 hl=2 l= 23 cons: SET    
    50:d=4 hl=2 l= 21 cons: SEQUENCE   
    52:d=5 hl=2 l= 3 prim: OBJECT   :commonName 
    57:d=5 hl=2 l= 14 prim: UTF8STRING  :John Doe 
    73:d=3 hl=2 l= 11 cons: SET    
    75:d=4 hl=2 l= 9 cons: SEQUENCE   
    77:d=5 hl=2 l= 3 prim: OBJECT   :countryName 
    82:d=5 hl=2 l= 2 prim: PRINTABLESTRING :US 
    86:d=2 hl=4 l= 290 cons: SEQUENCE   
    90:d=3 hl=2 l= 13 cons: SEQUENCE   
    92:d=4 hl=2 l= 9 prim: OBJECT   :rsaEncryption 
    103:d=4 hl=2 l= 0 prim: NULL    
    105:d=3 hl=4 l= 271 prim: BIT STRING   
    380:d=2 hl=2 l= 0 cons: cont [ 0 ]   
    382:d=1 hl=2 l= 13 cons: SEQUENCE   
    384:d=2 hl=2 l= 9 prim: OBJECT   :sha1WithRSAEncryption 
    395:d=2 hl=2 l= 0 prim: NULL    
    397:d=1 hl=4 l= 257 prim: BIT STRING 

因此，技巧可能是建立正确的主题并省略CSR中常见的其他字段。也就是说，主题DN应该类似于上面的emailAddress=jdoe@example.com, CN=John Doe, C=US。

你可以用openssl req和-subj这个参数来做到这一点。手册页是req(1)，它可能最容易理解-subj开关举例（如下所示）。

---

以下看起来会产生等效的CSR。

$ openssl req -out ./test.csr -new -newkey rsa:2048 -sha1 -nodes -keyout ./test.key -subj "/emailAddress=jdoe@example.com/CN=John Doe/C=US" 
Generating a 2048 bit RSA private key 
...............+++ 
...+++ 
writing new private key to './test.key' 

而这里的转储：

$ openssl req -text -in test.csr 
Certificate Request: 
    Data: 
     Version: 0 (0x0) 
     Subject: emailAddress=jdoe@example.com, CN=John Doe, C=US 
     Subject Public Key Info: 
      Public Key Algorithm: rsaEncryption 
       Public-Key: (2048 bit) 
       Modulus: 
        00:aa:f8:4e:3a:0b:51:dd:3e:cd:ba:f4:be:e9:3a: 
        84:88:b4:ec:11:97:c1:0f:f5:96:49:77:5c:8f:39: 
        81:09:69:29:cd:bc:8e:cd:79:2a:58:bd:d5:f8:10: 
        41:dc:e3:a7:b7:78:a8:cb:1e:d3:8b:0b:4e:e7:26: 
        5b:7d:1d:ee:fc:1d:60:9a:73:cf:6d:95:1a:9a:6f: 
        98:8a:4c:af:a3:3f:95:21:70:ee:7d:81:c6:d0:0c: 
        32:ee:46:cc:d5:02:83:58:82:04:f9:02:6e:56:68: 
        66:93:7c:d5:5f:91:2d:bb:af:e5:e8:71:d7:6e:53: 
        22:3d:66:c2:66:a8:c1:a2:62:4c:10:0d:e7:57:2e: 
        1f:20:f3:ed:15:b6:10:69:c9:61:39:4d:1c:56:a9: 
        b0:f5:ba:8e:48:fb:23:27:1a:e0:40:c2:be:74:80: 
        79:76:15:a4:6e:da:7d:76:4e:ec:88:fc:cd:5d:11: 
        f1:cc:68:5c:c8:2d:98:e8:a9:8d:8c:27:9b:b3:80: 
        87:36:53:d5:67:ab:f1:0a:07:a9:ab:96:c1:43:9f: 
        8d:4d:d6:b1:22:12:6c:43:58:ef:b5:89:3c:40:ea: 
        8c:81:24:68:88:7c:26:a5:2f:55:d3:86:69:ca:3f: 
        78:21:44:d4:6c:8b:66:de:35:0a:ce:6d:7b:a5:17: 
        28:f5 
       Exponent: 65537 (0x10001) 
     Attributes: 
      a0:00 
    Signature Algorithm: sha1WithRSAEncryption 
     37:52:8c:a8:d4:b2:00:9e:e9:da:10:28:27:17:a3:68:46:1d: 
     aa:b0:e9:bb:d8:5e:ae:ef:8f:a7:f4:6b:98:43:28:1f:9b:3b: 
     e5:4d:7d:14:3c:bf:58:4f:1a:20:52:ae:90:77:bb:4b:92:a7: 
     9c:54:b0:67:a6:75:9d:93:1c:aa:21:f9:8a:74:5d:f3:90:60: 
     d4:de:12:03:9b:32:94:d8:49:5e:13:f3:5c:bc:0c:fc:ce:06: 
     7e:2e:d8:06:94:af:d2:1d:ab:83:dc:59:3a:83:24:54:02:f9: 
     e8:7d:e9:d8:1b:82:1a:99:75:26:70:6e:31:f2:ca:0d:12:f0: 
     a2:23:7c:dc:b0:59:fc:80:d4:3f:1f:7a:2f:25:7b:16:9d:7e: 
     c5:82:d2:1b:29:df:43:7f:81:4e:00:56:af:44:12:3a:0c:b4: 
     8b:f9:ba:15:b9:bd:3a:3e:fa:6e:95:37:47:62:29:1f:c4:12: 
     6d:cd:94:55:e7:6f:83:c1:37:8d:65:74:b1:dd:7f:9f:74:d4: 
     aa:0e:ff:ed:c5:23:d6:83:e8:dc:d7:10:44:57:2b:4b:6f:ec: 
     8d:75:da:e3:55:dd:62:e9:46:ed:f8:ae:5d:f4:19:a3:52:c2: 
     cc:9d:9e:14:4b:b1:76:10:90:c1:4b:f6:ce:c0:92:b5:e6:a2: 
     bc:d8:36:b9 
-----BEGIN CERTIFICATE REQUEST----- 
MIICjjCCAXYCAQAwSTEhMB8GCSqGSIb3DQEJARYSbm9sb2FkZXJAZ21haWwuY29t 
MRcwFQYDVQQDDA5KZWZmcmV5IFdhbHRvbjELMAkGA1UEBhMCVVMwggEiMA0GCSqG 
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCq+E46C1HdPs269L7pOoSItOwRl8EP9ZZJ 
d1yPOYEJaSnNvI7NeSpYvdX4EEHc46e3eKjLHtOLC07nJlt9He78HWCac89tlRqa 
b5iKTK+jP5UhcO59gcbQDDLuRszVAoNYggT5Am5WaGaTfNVfkS27r+XocdduUyI9 
ZsJmqMGiYkwQDedXLh8g8+0VthBpyWE5TRxWqbD1uo5I+yMnGuBAwr50gHl2FaRu 
2n12TuyI/M1dEfHMaFzILZjoqY2MJ5uzgIc2U9Vnq/EKB6mrlsFDn41N1rEiEmxD 
WO+1iTxA6oyBJGiIfCalL1XThmnKP3ghRNRsi2beNQrObXulFyj1AgMBAAGgADAN 
BgkqhkiG9w0BAQUFAAOCAQEAN1KMqNSyAJ7p2hAoJxejaEYdqrDpu9heru+Pp/Rr 
mEMoH5s75U19FDy/WE8aIFKukHe7S5KnnFSwZ6Z1nZMcqiH5inRd85Bg1N4SA5sy 
lNhJXhPzXLwM/M4Gfi7YBpSv0h2rg9xZOoMkVAL56H3p2BuCGpl1JnBuMfLKDRLw 
oiN83LBZ/IDUPx96LyV7Fp1+xYLSGynfQ3+BTgBWr0QSOgy0i/m6Fbm9Oj76bpU3 
R2IpH8QSbc2UVedvg8E3jWV0sd1/n3TUqg7/7cUj1oPo3NcQRFcrS2/sjXXa41Xd 
YulG7fiuXfQZo1LCzJ2eFEuxdhCQwUv2zsCSteaivNg2uQ== 
-----END CERTIFICATE REQUEST----- 

Answer 3

由于第三方将要实施的iOS应用程序，他们应该有一个iOS开发者帐户和Mac，所以它应该是很容易让他们创建此证书作为设置iOS应用程序的一部分（无论如何他们需要这样做）。