转自:http://cloudfields.net/blog/ios-push-notifications-encryption/

The serious pains of setting up a Remote Push Notification in an iOS app come not from coding the app itself. They mostly relate in making the intermediate environment to connect with the Apple Push Notification Servers (APNS) and the security behind it…

I will not refer to anything specific to the xCode or Obj-C coding of Push Notifications here.  A very nice and simple implementation for Apple Push Notifications management is the  PHP-Mysql—Apple-Push-Notification-Server developed by Benjamin Ortuzar. What I’m covering in this post refers on how to create the encryption .pem files needed for the management system to communicate with the APNS.

If you decide not to use Benjamin Ortuzar’s system and go on making your own instead, you’ll probably need all the same the encryption files covered here. If on the other hand you choose to use a service providing Push Notifications like Urban Airship, you won’t need anything from below.

Things taken for granted in this post:

  1. You already have a Apple Developer ID,
  2. You have already setup the App ID and enabled it for Push Notifications,
  3. You have created the development and production certificate for Push Notifications for your app,
  4. You have the private key in your keychain (it must be there since its needed for the certificate creation above).

All we need is 2 files:

  1. the private key .p12 file (let’s call it pkey.p12). This can be found in the Keys section of the OSX keychain. Right click on it, select export, enter the filename in .p12 file format and enter its password.
  2. the SSL certificate (let’s call this sslcert.cer). For this post, I’m using the development certificate and this can be either downloaded from the Developer Connection website (same page where you created it) or you can simply drag and drop it to Finder/Desktop from the My Certificates section in the keychain.

Having done the above, open Ternimal in a Mac OSX. A Linux distribution with openssl installed will do the job as well (100% compatible and tested on Fedora Core 18). If your Linux doesn’t have openssl, type

sudo yum install openssl

for RedHat-type distributions or

sudo apt-get install openssl

for Debian.

Step 1: The Certificate

At first we need to convert the sslcert.cer to a .pem format the APNS will understand. Just type in Terminal:

$ openssl x509 -inform der -in sslcert.cer -out certificate.pem

and let’s call the output file certificate.pem.

Step 2: The Private Key

Same must be done for the private key. This is a bit more complex as it involves a security pass phrase. Again on Terminal:

$ openssl pkcs12 -nocerts -in pkey.p12 -out pkey.pem

You will be asked to enter the password protecting the pkey.p12 file and then enter a pass phrase that will protect the output pem file. We call the output pkey.pem and we’ll use it later on. Type the password, type the pass phrase, remember the pass phrase and let’s proceed…

Step 3: Merging the pem

Where we need to merge the two files into a single pem file. Extremely simple:

$ cat certificate.pem pkey.pem > apn_cert.pem

The created apns_cert.pem file will have the same pass phrase entered in step 2 and is the file needed for communication with the APNS servers.

At this point, the only thing left is to test if the file is correct.

Step 4: Testing

So far, the required pem file for the APNS communication is ready but we need to test it. The openssl command provides this as well. Since we used the development certificate on this post, we are going to test the sandbox APNS using this command:

$ openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert apns_cert.pem -key apns_cert.pem

And type the pass phrase again. After that, if all is done correctly, the connection will open with a wall of text letting you know what is going on. Typing a couple of characters, it will disconnect which is normal. If there is an error in the file, openssl will give an error message and you’ll have to read the whole wall of text to find what went wrong.

An indication of a successful connection will look something like this:

CONNECTED(00000003)

depth=2 O = Entrust.net, OU = www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), OU = (c) 1999 Entrust.net Limited, CN = Entrust.net Certification Authority (2048)

verify return:1

depth=1 C = US, O = "Entrust, Inc.", OU = www.entrust.net/rpa is incorporated by reference, OU = "(c) 2009 Entrust, Inc.", CN = Entrust Certification Authority - L1C

verify return:1

depth=0 C = US, ST = California, L = Cupertino, O = Apple Inc., OU = iTMS Engineering, CN = gateway.sandbox.push.apple.com

verify return:1

---

Certificate chain

0 s:/C=US/ST=California/L=Cupertino/O=Apple Inc./OU=iTMS Engineering/CN=gateway.sandbox.push.apple.com

i:/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C

1 s:/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C

i:/O=Entrust.net/OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Certification Authority (2048)

---

Server certificate

-----BEGIN CERTIFICATE-----

where the certificate data are printed and then:

-----END CERTIFICATE-----

subject=/C=US/ST=California/L=Cupertino/O=Apple Inc./OU=iTMS Engineering/CN=gateway.sandbox.push.apple.com

issuer=/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C

---

No client certificate CA names sent

---

SSL handshake has read 4318 bytes and written 2172 bytes

---

New, TLSv1/SSLv3, Cipher is AES256-SHA

Server public key is 2048 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

SSL-Session:

Protocol : TLSv1

Cipher : AES256-SHA

Session-ID: D85E15E39624323B4EBA268214077587711A2EEC4FB083C7F79435EC1A0E58EC

Session-ID-ctx:

Master-Key: D433A396CE2FCF8C97C2E53B1C4F08BFAB738D343D5D4E69D2F6E42268A67EB490AFA554FA59FB4337F7FFA34AFC0A3A

Key-Arg : None

Krb5 Principal: None

PSK identity: None

PSK identity hint: None

TLS session ticket:

followed by the ticket data.

Finally, with the pem file created, you can use it in any application or system you have developed or used to manage Push Notifications. Copy it where it needs to be and start sending…

(转)pem, cer, p12 and the pains of iOS Push Notifications encryption的更多相关文章

  1. Send Push Notifications to iOS Devices using Xcode 8 and Swift 3, APNs Auth Key

    Send Push Notifications to iOS Devices using Xcode 8 and Swift 3 OCT 6, 2016 Push notifications are ...

  2. 实战p12文件转pem文件

    1.首先生成一个ssl的证书 选择app IDS 后实现下面这个(这里不详细说明怎么生成了) 点击Download按钮,我就下载Development的ssl证书,下载成功后,双击运行,会打开钥匙串程 ...

  3. (转)实战p12文件转pem文件

    需要实现这个功能的一般都是app开发证书不支持通配符(即com.xxx.xxx.xxx格式),在业务需求上类似消息推送这样的业务. 1.首先生成一个ssl的证书 选择app IDS 后实现下面这个(这 ...

  4. pem文件转p12

    p12->pem cer.p12: openssl pkcs12 -clcerts -nokeys -out cer.pem -in cer.p12 key.p12: openssl pkcs1 ...

  5. iOS推送证书转pem文件

    iOS推送证书转 .pem文件. 推送证书转pem文件openssl x509 -in apns_miaobozhibo.cer -inform der -out apns_miaobozhibo.p ...

  6. Atitti.数字证书体系cer pfx attilax总结

    Atitti.数字证书体系cer pfx attilax总结 一.数字证书常见标准 1 数字证书文件格式(cer和pfx)的区别: 1 二.数字证书存储内容 2 X.509是一种非常通用的证书格式. ...

  7. c#上iOS apns p12文件制作记录 iOS推送证书制件

    前期一些准备工作可参考:http://jingyan.baidu.com/article/7082dc1c6bb86de40a89bd1a.html 1.在桌面上建一个"apns_p12&q ...

  8. c#上iOS apns p12文件制作记录

    1.在桌面上建一个"apns_p12"文件夹,所有的保存和生成文件都放在这里 2.从钥匙串中生成CertificateSigningRequest.certSigningReque ...

  9. iOS 推送证书生成pem

    cert: openssl x509 -in aps_development\ \(8\).cer -inform der -out pushDeveCerTopem.pem key: openssl ...

随机推荐

  1. 初识web01

    Tomcat   服务器        B/S    浏览器/服务器      C/S    客户端/服务器   URI:统一资源标识符   大  广   /项目名   URL:统一资源定位符     ...

  2. java SSH整合配置

    web.xml <?xml version="1.0" encoding="UTF-8"?> <web-app version="3 ...

  3. sql Server 常用存储过程的优化

    优化存储过程有很多种方法,下面介绍最常用的7种. 1.使用SET NOCOUNT ON选项 我们使用SELECT语句时,除了返回对应的结果集外,还会返回相应的影响行数.使用SET NOCOUNT ON ...

  4. Nginx配置文件nginx.conf详解(转)

    #定义Nginx运行的用户和用户组 user www www; #nginx进程数,建议设置为等于CPU总核心数. worker_processes 8; #全局错误日志定义类型,[ debug | ...

  5. Design Pattern ——Builder

    一.基础知识:先前学习建造者模式的时候,总是以这个UML图作为学习基础资料 然后总是要记住四个角色 产品类:一般是一个较为复杂的对象,也就是说创建对象的过程比较复杂,一般会有比较多的代码量.在本类图中 ...

  6. MyEclipse汉化后问题

    今天为了教学生如何汉化MyEclipse10.7,所以讲IDE汉化了一下. 个人还是喜欢用英文版,所以就将D:\MyEclipse\MyEclipse 10目录下的配置文件myeclipse.ini里 ...

  7. BOM和DOM的联系和区别

    BOM中的对象 Window对象: 是整个BOM的核心,所有对象和集合都以某种方式回接到window对象.Window对象表示整个浏览器窗口,但不必表示其中包含的内容. Document对象: 实际上 ...

  8. MySQL FROM 子查询

    FROM 子句中的子查询 MySQL FROM 子查询是指 FROM 的子句作为子查询语句,主查询再到子查询结果中获取需要的数据.FROM 子查询语法如下: SELECT ... FROM (subq ...

  9. QT5-控件-QLineEdit-文本输入控件,用来输入密码什么的还不错,可以和Linux登录一样不移动光标哦

    #ifndef MAINWINDOW_H #define MAINWINDOW_H #include <QMainWindow> #include <QLineEdit> #i ...

  10. Ajax 技术原理(转)

    Ajax 技术原理 2010-01-04 原文出处:http://www.nowamagic.net/ajax/ajax_AjaxPrinciple.php 在写这篇文章之前,曾经写过一篇关于AJAX ...