-----Original Message-----
>From: "Dr. Stephen Henson" <st...@openssl.org>
>Sent: Jul 28, 2010 8:34 PM
>To: openssl-users@openssl.org
>Subject: Re: Simulating Mac keychain CSR with OpenSSL
>
>On Wed, Jul 28, 2010, Wim Lewis wrote:
>
>> On Jul 28, 2010, at 2:38 PM, Todd Oberly wrote:
>> > It's obviously asking for just a subset of what would typically go into a
>> > CSR. I tried generating several different CSR's with OpenSSL, containing
>> > various information (and then converting the files to Mac line endings),
>> > but the instructions seem to be right. Only the CSR I made on a friend's
>> > Mac was accepted. [...] It's also possible that I just missed the right
>> > combination, and trying again will make a CSR that works.
>>
>> Well, I haven't tried submitting an OpenSSL-generated CSR to Apple, but the
>> CertificateAssistant-generated CSR looks pretty normal. I have a vague
>> memory that Apple's fussy about the key type; are you using a 2048-bit RSA
>> key?
>>
>> I ran asn1parse on a successfully-submitted-to-Apple CSR and I see this
>> structure:
>>
>> [
>> version = v1
>> subject = { emailAddress = IA5STRING, commonName = UTF8STRING, countryName
>> = PRINTABLESTRING }
>> subjectPKInfo = [ [ rsaEncryption, NULL ], the usual key parameters,
>> e=65537, m ~ 2^2048 ]
>> attributes = empty sequence
>> ]
>>
>> signed using sha1WithRSAEncryption.
>>
>>
>> > I don't like mysteries, and don't being locked into one platform.
>>
>> Understandable, though I think that once you're using Apple's notification
>> service for your iPhones, the way you generate your X.509 key is the least
>> of your lockin worries. :)
>
>Try the utf8only option for the mask if it doesn't include UTF8Strings
>already.
I wanted to follow up on my quest to use OpenSSL for creating certificates that
interoperate with Apple's Push Notification Servers. In the end, the process
also involved creating a pkcs12 file from the Apple cert and public key, but
two simple steps like
openssl.exe genrsa -out iphone.key 2048
openssl.exe req -new -key iphone.key -out iphone.csr
created a CSR that Apple would accept. I haven't tested many variations so
far, so am not sure if the 2048-bit key or knowing the contents of the
Mac-generated CSR clinched it. But the server is working now, and thanks for
all the suggestions. :)
Todd
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
