Generating an Apple iOS certificate using Windows

When using any services for your iOS device such as Push Notifications, you need to generate a certificate. It’s quite simple when using Mac OS X as all Apple’s instructions are geared towards it. What do you do, however, if you’re using a Windows machine. There are a few more steps involved, but the whole process is simple enough.

Before you get started, ensure that you have IIS installed on your machine as we’ll need that to generate the certificate request.

To get started, open the Provisioning Portal on Apple’s developer site and add whatever certificate you need. You’ll be promoted with this dialog.


Open the IIS manager, select the machine name on the left hand side and look for the Server Certificates icon in the Features section and double click.


Opening the Server Certificates feature will create a menu on the right hand side of the screen. The second option in that menu list is the “Create Certificate Request”. This will allow us to generate the file that Apple requires in order to generate our certificate.


Click this option opens the Request Certificate wizard.


Fill this form out with some basic details. The Common name I always fill with my email address, but put whatever values you feel are appropriate here.


Next, select the type of request. I always select a key length of 2048. I don’t know what OS X does here, so if anyone knows what size of certificate they request, please let me know in the comments. Click Next to continue.


Next, just select a location to save the request to and hit Finish. Return to the Apple provisioning portal.


Choose the file you’ve just created and hit Generate.


Apple will now generate the certificate file.


We now have the certificate, but this doesn’t contain the private key. We need to complete the process. Hit download and save the cert somewhere. Return to IIS’s Server Certificate Feature. In the menu on the right hand side, as before, you’ll see an option called Complete Certificate Request.


Select the Cert you’ve just downloaded and give it a friendly name. Hit OK. This step will effectively join our Certificate Request with Apple’s certificate to produce a full certificate with both public and private keys. You should now see the certificate in IIS. NOTE: Please ignore the typo in the Friendly name field. Thanks to @nickg_uk for pointing it out!.


You can also choose to export this certificate. If you do, choose the PFX file type to include the Private Key. Once you’ve exported it to a file, you can import it into your certificate store for later use.


I hope this has been helpful and easy to follow. If you have any comments or suggestions on it, please use the comments section below!

7 thoughts on “Generating an Apple iOS certificate using Windows

  1. Hi Thomas. All the screenshots about generating the certificate signing request and further. Never mind, found that all this looks a little different on the apple dev portal, so got to generating my certificate in the end. Thanks for the post.
    Used it in your sample application, replacing thumbprints and the pass type ID where I could find. My next concern is an exception that says “Key doesn’t exist” when I reach the ComputeSignature. StackTrace = ” at System.Security.Cryptography.Pkcs.SignedCms.ComputeSignature(CmsSigner signer, Boolean silent)\r\n
    at System.Security.Cryptography.Pkcs.SignedCms.ComputeSignature(CmsSigner signer)\r\n at Passbook.Generator.PassGenerator.SignManifestFile(PassGene…
    Should I raise an issue on github or mail you?

    • Gabriel,

      The screenshots are out of date :) This post is over three years old!

      With regards to the “Key doesn’t exist” error, it usually arises when you don’t have the private key component. When exporting to PFX, you must check the option to include the private key too.

  2. Thanks for the head sup Thomas .) After the Complete Certificate Request step, two things I saw happen:
    1. The certificate shows up among the server certificates. I do not have an export option (“Renew” instead) and therefore I cannot get the pfx. The certificate disappears when I navigate back to the server certificates on the server.
    2. After a few tries, I get an “Access is denied”. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
    What am I doing wrong?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s