What a Developer Should Know About (iOS) Keystores

devop |

From developer certificate to iOS keystore (PKCS #12)

This section guides you through the process of creating a PKCS #12 (sometimes referred to as p12 keystore) needed to build iOS apps.

First grab your developer certificate from your iOS developer account

You can extract information of your X.509 certificate easily with openssl:

Verify that it's your certificate with:

$ openssl x509 -inform DER -noout -subject -in iphone_developer.cer
subject= /UID=L<hash>Y/CN=iPhone Developer: Donald Duck (<devId>)/OU=<teamId>/O=Duck Family/C=US

or show the sha1 fingerprint only:

$ openssl x509 -inform DER -noout -fingerprint -sha1 -in iphone_developer.cer
SHA1 Fingerprint=12:...:18

With -issuer and -enddate you can check other interesting data or simply use -text to dump the whole content in a human readable way.

For further processing we convert the certificate from DER input format (-inform DER) to PEM output format (-outform PEM):

$ openssl x509 -in iphone_developer.cer -inform DER -out iphone_developer.pem -outform PEM

[optional] If your private key is in p12 format you'll need to do this additional step and convert it to PEM fromat also:

$ openssl pkcs12 -nocerts -in private_key.p12 -out private_key.pem

With both ingredients in PEM format you can create a keystore for iOS builds out of those:

$ openssl pkcs12 -export -inkey private_key.pem -in iphone_developer.pem -out ios_build.p12
Enter pass phrase for private_key.pem:
Enter Export Password:
Verifying - Enter Export Password:

You'll need to know the pass phrase of your private key and specify a new password for the generated p12 keystore.

Inspect details of an existing iOS keystore:

$ openssl pkcs12 -info -in ios_build.p12
Enter Import Password:
MAC Iteration 1
MAC verified OK
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
...
your keystore/certificate details
...

You'll also need the credentials of the private key to access all data contained in the keystore.

Extract the certificate from the keystore:

$ openssl pkcs12 -in signing/ios_build.p12 -clcerts -nokeys -out publicCert.pem

Show the details of this certificate:

$ openssl x509 -in publicCert.pem -text                                                                                                                                  Certificate:
    Data:
...
your certificate datails
...