Generating an Apple iOS certificate using Windows

When using any services for your iOS device such as Push Notifications, you need to generate a certificate. It’s quite simple when using Mac OS X as all Apple’s instructions are geared towards it. What do you do, however, if you’re using a Windows machine. There are a few more steps involved, but the whole process is simple enough.

Before you get started, ensure that you have IIS installed on your machine as we’ll need that to generate the certificate request.

To get started, open the Provisioning Portal on Apple’s developer site and add whatever certificate you need. You’ll be promoted with this dialog.

image

Open the IIS manager, select the machine name on the left hand side and look for the Server Certificates icon in the Features section and double click.

image

Opening the Server Certificates feature will create a menu on the right hand side of the screen. The second option in that menu list is the “Create Certificate Request”. This will allow us to generate the file that Apple requires in order to generate our certificate.

image

Click this option opens the Request Certificate wizard.

image

Fill this form out with some basic details. The Common name I always fill with my email address, but put whatever values you feel are appropriate here.

image

Next, select the type of request. I always select a key length of 2048. I don’t know what OS X does here, so if anyone knows what size of certificate they request, please let me know in the comments. Click Next to continue.

image

Next, just select a location to save the request to and hit Finish. Return to the Apple provisioning portal.

image

Choose the file you’ve just created and hit Generate.

image

Apple will now generate the certificate file.

image

We now have the certificate, but this doesn’t contain the private key. We need to complete the process. Hit download and save the cert somewhere. Return to IIS’s Server Certificate Feature. In the menu on the right hand side, as before, you’ll see an option called Complete Certificate Request.

image

Select the Cert you’ve just downloaded and give it a friendly name. Hit OK. This step will effectively join our Certificate Request with Apple’s certificate to produce a full certificate with both public and private keys. You should now see the certificate in IIS. NOTE: Please ignore the typo in the Friendly name field. Thanks to @nickg_uk for pointing it out!.

image

You can also choose to export this certificate. If you do, choose the PFX file type to include the Private Key. Once you’ve exported it to a file, you can import it into your certificate store for later use.

image

I hope this has been helpful and easy to follow. If you have any comments or suggestions on it, please use the comments section below!

29 thoughts on “Generating an Apple iOS certificate using Windows

  1. Canot find this Pass Certificate Assistant tool anywhere on Apples developer portal. Full developer membership here.

      1. hi sir i need to generate csr for generate gsx apple account i m using first time this service please help me as soon as possible

  2. Hi Thomas. All the screenshots about generating the certificate signing request and further. Never mind, found that all this looks a little different on the apple dev portal, so got to generating my certificate in the end. Thanks for the post.
    Used it in your sample application, replacing thumbprints and the pass type ID where I could find. My next concern is an exception that says “Key doesn’t exist” when I reach the ComputeSignature. StackTrace = ” at System.Security.Cryptography.Pkcs.SignedCms.ComputeSignature(CmsSigner signer, Boolean silent)\r\n
    at System.Security.Cryptography.Pkcs.SignedCms.ComputeSignature(CmsSigner signer)\r\n at Passbook.Generator.PassGenerator.SignManifestFile(PassGene…
    Should I raise an issue on github or mail you?

    1. Gabriel,

      The screenshots are out of date 🙂 This post is over three years old!

      With regards to the “Key doesn’t exist” error, it usually arises when you don’t have the private key component. When exporting to PFX, you must check the option to include the private key too.

  3. Thanks for the head sup Thomas .) After the Complete Certificate Request step, two things I saw happen:
    1. The certificate shows up among the server certificates. I do not have an export option (“Renew” instead) and therefore I cannot get the pfx. The certificate disappears when I navigate back to the server certificates on the server.
    2. After a few tries, I get an “Access is denied”. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))
    What am I doing wrong?

  4. Hi Thomas,
    maybe I am too dumb.
    You write “To get started, open the Provisioning Portal on Apple’s developer site and add whatever certificate you need.” Well what certificate do I need for creating passes? I am totally new to this and there is nothing like a “pass certificate”.

    I tried to create a certificate for “iOS App Development”. When I am supposed to select a file with the request I select the “request.txt” file created with IIS but the “generate” button on the site stays disabled. Are txt files not valid? I tried to rename it to “request.certSigningRequest” because on the site it sais “Select .certSigningRequest file saved on your Mac.” This does not help.
    Any ideas?

    I am in the proof of concept phase for a new project on the search for a library we will use in future. You library seems to be very nice to use.

    Thx in advance,
    Michael

    1. Sorry for the delay in answering your question. What you want to create is a “Pass Type ID”. This will allow you to generate a certificate that you use to sign your Passes with.

  5. Hi Tomas,
    So! In the apple developer store, I have creates a Pass Type ID. I have also created a CSR from IIS Server certificates. The resulting certificate request file ends with a “.txt” extension as opposed to “.certSigningRequest”. For some reason when I try to upload the CSR to the Pass Type ID, it keeps throwing back an error stating “Please upload a valid certificate”.

    All searches on google show that the above-mentioned steps are conceptually right, barring the UI changes in the portal. Have you come across this before? Any help/advice would be highly appreciated.

    Thanks
    Noel

    1. The cert request that you create should be valid whether it’s generate by IIS or the KeyChain assistant. I’ve never seen them get rejected. Are you using a 2048 key size?

      1. I tried as well with 2048 and 4096 and apple is rejecting, i might have missed something.

  6. Hello Thomas.
    Thanks for your post. It was really helpful.
    Please, could you help me with this: I need to convert the Apple certificate to a .p12 file, for compiling a mac app in adobe. I just created the certificated and also exported to a .pfx file. I have openssl and all archives are on the same folder, but I do not know which the correct way to execute pkcs12 -export -inkey mykey.key -in developer_identity.pem -out iphone_dev.p12
    Regards,

  7. Hi Tom,
    I was able to successfully followed your instructions and generated the boarding and coupon pk passes. I sent the pk passes to my iPhone 7, but the pk passes don’t open. I click on the pass and nothing happen. I downloaded another pk pass from another site, and sent it to my iPhone 7, it opens the pkpass fine. Do you have any idea how to debug this?

    1. Monica, the easiest way to debug this is to connect the iPhone in question to a Mac and use the Device Log in XCode. If this isn’t an option, you could always send the pass to me and I can do that for you.

      1. Tom,
        Thank you so much for your prompt response. I sent the coupon pass to you.

  8. Hi Tom,

    We’ve successfully applied the Apple Wallet certificate to IIS running on a Windows Server 2012 machine for the past few years – but this year we’re having real problems and we’re not even sure if it’s still possible as Apple’s own documentation appears to have been updated.

    Have you applied an Apple certificate recently to IIS – and if so, have you been successful? What are we missing?

    Many Thanks.

      1. Hi Tomas,

        Weirdly it looks to be working now – there was precious little info on installing an Apple Certificate on a Windows IIS Server online so we were wondering if it had been unsupported. Apple were next to no use, simply directly us to their help page showing how to install an Apple Certificate on a Mac (!!).

        We’ve not done anything different to what we did last year, but it suddenly worked, so I have no idea how it’s resolved itself.

        Thanks for your help.

  9. Hello,

    Ya I cannot figure out where the pass certificate assistant is, to submit the certificate signing request… So I went and created an apple developer account (no problem), however I just cannot find the certificate assistant mentioned in the article here (its probably been moved, or removed, since the article was authored)..

    I believe it may be found here: https://developer.apple.com/account/resources/

    However when I go there I get a message “This resource is only for developers enrolled in a developer program or members of an organization’s team in a developer program.”

    So I guess I am a bit stuck…

    Perhaps this is no longer possible??

  10. Hello Tomas,

    So just a heads up:

    For the Apple WWDR certificates, found here: https://www.apple.com/certificateauthority/

    it seems that Apple has a new WWDR certificate that expires in 2030. That certificate has a different thumbprint: “06ec06599f4ed0027cc58956b4d3ac1255114f35”

    The “older” certificate (the one that expires in 2023) has the thumbprint “ff6797793a3cd798dc5b2abef56f73edc9f83a64”, which is hard-coded into the source under the constant “APPLE_CERTIFICATE_THUMBPRINT”.

    I imagine if you try to use the new apple WWDR certificate without updating the source code, it probably wont work??

    Should I make an attempt to update the source for the project? I would probably just add in a new request field (called AppleWWDRCAThumbprint), and have that be a field that is passed in and it would use that (or it would default to the old thumbprint I suppose, for backwards compatibility)… Given my inexperience with this (and since I have not even gotten this to work yet), I am a bit apprehensive to just go ahead and update your source code…

    Anyhow, I temporarily fixed that by hardcoding the new value in the source, however I am still getting signing errors (“CryptographicException: Keyset does not exist”)… I know its a windows certificate permissions thing, but I am having a difficult time resolving it… Can you offer any pointers to resolve that?? I do have the private certificate in my IIS personal store, and I am using the proper thumbprint, and it does say I have the private key, etc… I can export it to a .pfx file, with (I believe) the private key, but I cannot use that file either. Not quite sure how to get that to work…

    Anyhow, thank you so much for this.. I know I am just a few keystrokes away from getting this to work, and it will make my work tons easier once I get it all figured out…

    … Howard

    1. Hi, Howard,

      I’m not sure if you still need help with this.

      I believe it’s not possible to generate certificates from IIS any more, due to additional properties being required in the certificates.

      Tom

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.