OSX Keychain Access-Generate CSR from existing Private Key for APNS (Apple Push Notification Service)

Question

When you need to create a new certificate for APNS, the Provisioning Portal "wizard" always gives the steps to create a new CSR which means you need to create a new public/private key as well. These can start to get out of control, so is there a way to create a CSR (Code Signing Request) in Keychain Access from an existing Private Key instead of having to create a new one every time?

Thanks

Answer 1

Typically, you can do this by right-clicking an existing private key in Keychain Access and choosing Request a Certificate from a Certificate Authority With "Name Of Your Key".

Unfortunately, this will fail with "The specified item could not be found in Keychain" unless you also have the corresponding public key in your keychain. There's no technical reason for this—a Certificate Signing Request (CSR) can be generated from just a private key—but Keychain Access doesn't understand this.

You have two options.

Export the private key and generate the CSR manually

This is a quick option that will just generate a CSR that you can upload to Apple.

1. Choose the private key in Keychain Access, then click File - Export Items….
2. Save the file in .p12 format somewhere, but remember the path. These instructions assume it's in your home directory and called exported.p12. Leave the password blank.

3. Open Terminal and enter:

   openssl req -new -key <(openssl pkcs12 -in ~/exported.p12 -nocerts -nodes -passin pass:"") > new.certSigningRequest
   

   See [1] at the end of this post for details about what's going on.

4. Press Enter for each prompt (Apple doesn't care about these values). When you're finished, you'll have a .certSigningRequest suitable for upload to the Apple Developer Portal. When you download the associated certificate, it will pair up with the original private key.

5. Delete the exported.p12 file, as it contains private key material.

Recreate the public key so Keychain Access is happy

This option is a longer-term fix that'll let you generate CSRs from the original key straight from Keychain Access. These instructions assume you can't currently use Keychain Access to do so because you're missing the corresponding public version of your private key. You can check for this by going to the "Keys" category in Keychain Access and looking for a "private key" and "public key" with the same name.

1. Choose the private key in Keychain Access, then click File - Export Items….
2. Save the file in .p12 format somewhere, but remember the path. These instructions assume it's in your home directory and called exported.p12. Leave the password blank.

3. Open Terminal and enter:

   openssl pkcs12 -in ~/exported.p12 -nocerts -nodes | openssl rsa -pubout > public.pem
   

   See [2] at the end of this post for details about what's going on.

4. Import this public key into Keychain Access using the security tool:

   security -v import public.pem -k ~/Library/Keychains/login.keychain
   

   You should see "1 key imported."

Change ~/Library/Keychains/login.keychain if you want to import this to another keychain. (You can see where each keychain lives by going to Edit - Keychain List in Keychain Access).

5. Open Keychain Access and locate the public key called "Imported Public Key." Double-click it and change its name to be the same thing as your original private key.
6. Delete exported.p12 and public.pem.

You can now right-click the original private key and choose Request a Certificate from a Certificate Authority With "Name Of Your Key" to generate a CSR.

Explanations

[1] This command, broken down:

openssl req -new  # Generate a new certificate signing request
  -key            # Instead of generating a key, use an existing one
  <(              # Put the output of the following command in a temporary file
                  # (a Bash feature, not specific to OpenSSL)
  openssl pkcs12 -in ~/exported.p12 # Read keys from the specified PKCS12 file
  -nocerts         # Don't output the certificate contained in the file
  -nodes           # Output the private key from the file
  -passin pass:""  # The password for the container is blank
  )
> new.certSigningRequest # Write the generated CSR to a file

[2] Second command, broken down:

openssl pkcs12 -in ~/exported.p12 # Read keys from the specified PKCS12 file
  -nocerts -nodes                 # Output only the private key, no certificates
| openssl rsa -pubout             # Compute the public key from a private key
> public.pem                      # Write the public key to a file

Answer 2

When you go into Provisioning Profile to Enable/Configure Push Notifications, the first thing it asks for is a CSR (Code Signing Certificate).

You can generate this with an existing private key from Keychain Access instead of creating a new one.

Just open keychain access and then scroll thru and find a previous PRIVATE KEY (probably called YOUR NAME) and then right-click (two finger click) on it and choose Request A Certificate From A Certificate Authority With "bla bla bla".

I just enter the same email address in both User Email Address and CA Email Address, and choose Saved To Disk.

Then upload that to create your .cer files