在 Windows 上将推送证书转换为 iPhone 应用程序的 P12 格式
我被告知,我们需要向应用程序开发人员提供 P12 格式的“推送通知证书”。我需要知道如何使用 Windows 来获取它。
我有以下内容:
- 开发人员证书 *developer_identity.cer*
- 分发证书 *distribution_identity.cer*
然后我被告知转到应用程序 ID,找到我的新应用程序 ID,然后单击“配置”。然后为 Apple 的推送通知服务配置我的 App ID。
配置“生产推送 SSL 证书”:它说我需要创建 CSR 并将其上传到 Apple。
创建 CSR 时,我在 OpenSSL 中使用了以下内容:
openssl genrsa -out mykey.key 2048
然后
openssl req -new -key mykey.key -out CertificateSigningRequest.certSigningRequest -subj "/[email protected], CN=John Doe, C=US"
用我自己的详细信息替换电子邮件、CN 和 C。
问题 1:这是怎么回事? P12会提供给第三方让他们推送;这里的电子邮件、CN 和 C 是否在任何时候都经过验证,或者这并不重要?
假设上述全部正确,这会导致我获得另一个文件: *aps_product_identity.cer*
问题 2: 如何将 OpenSSL 与上述文件一起使用,以向开发人员提供 P12 中必要的推送证书?
I am told that we need to provide an application developer with a P12 format 'Push Notification Certificate'. I need to know how to get this using Windows.
I have the following:
- Developer certificate *developer_identity.cer*
- Distribution certificate *distribution_identity.cer*
I was then told to go to App IDs, find my new App ID and click 'Configure'. Then configure my App ID for Apple's Push Notification service.
Configure 'Production Push SSL Certificate': It says I need to create a CSR and upload it to Apple.
When creating the CSR I used the following in OpenSSL:
openssl genrsa -out mykey.key 2048
then
openssl req -new -key mykey.key -out CertificateSigningRequest.certSigningRequest -subj "/[email protected], CN=John Doe, C=US"
Replacing email, CN and C with my own details.
Question 1: How is this right? The P12 will be provided to a third party for them to push; are the email, CN and C here validated at any point or does this not matter?
Assuming the above is all correct, this results in me getting another file: *aps_production_identity.cer*
Question 2: How can I use OpenSSL with the files above to provide the necessary Push Certificate in P12 to the developer?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
(1) 无论电子邮件、CN 和 C 在创建证书时是否经过 Apple 验证,该证书都是由 Apple 的证书颁发机构 (CA) 进行数字签名的,因此在创建证书时他们会知道该证书是真实的用于连接。您无法伪造该签名(他们的 CA 在您的证书上)。
(2) 要使用 OpenSSL 创建 P12:
$ openssl pkcs12 -export -out my_cert_and_key.p12 -in my_cert.crt -inkey my_key.key 系统
将提示您密码,在 Windows 上导入时需要再次输入密码。此密码用于保护私钥,该私钥与证书一起位于 P12 文件中。也就是说,如果要在 Windows 计算机上导入它。对于 iPhone,请忽略这一点,以及接下来的内容...
无论哪个 Windows 帐户导入证书,都将有权访问私钥以在使用 TLS 连接时使用它。如果您需要另一个 Windows 帐户使用此证书进行连接,则必须授予其对私钥的读取权限(您可以通过 MMC 证书管理单元“管理私钥”执行此操作)。 )
(1) Whether or not the email, CN and C are validated by Apple when the certificate is created, the certificate is digitally signed by a Certificate Authority (CA) at Apple, so that's how they will know that it is authentic when it is used to connect. You could not forge that signature (of their CA, on your certificate.)
(2) To create a P12 with OpenSSL:
$ openssl pkcs12 -export -out my_cert_and_key.p12 -in my_cert.crt -inkey my_key.key
You will be prompted for a password, which you will need to type in again when importing it on Windows. This password is protecting the private key, which is in the P12 file along with the certificate. That is, if this is going to be imported on a Windows machine. For the iPhone, ignore that, and what follows...
Whichever Windows account imports the certificate, will have access to the private key to use it when connecting with TLS. If you need another Windows account to connect using this certificate, you will have to grant it read access to the private key (which you can do from the MMC Certificates snap-in, "Manage Private Keys".)
XCA 让一切变得简单。
来源文章:http://durej.com/?p=345
XCA makes it easy.
source article: http://durej.com/?p=345