Can not understand how to generate acceptable pem cert

[roma86]

Hello. Thank you for the lib.

I use this command to convert p12 cer to pem

openssl pkcs12 -in aps.p12 -out aps.pem -nodes -clcerts

Which is works fine when i test it with ruby houston gem.

To test this lib i just use example code from readme, only path to the pem file is changed.

The result is error message

Cert Error:failed to parse PKCS1 private key

Which is referenced to apns2/certificate/certificate.go from this lib.

When it fail i tried to send passphrase as the last param into certificate.FromPemFile without success.

My questions are:

• What is the correct way to generate p12 for this library?
• Why same cert works with ruby lib and dose not with current one?

Thanks in advance.

---

go version go1.6.2 darwin/amd64

When i say works fine i mean push notifications are delivered to destination device.

[cenkbilgen]

As you guessed, it has to do with the format of the pem file generated by the way your calling openssl. See this related discussion: https://groups.google.com/forum/#!msg/golang-nuts/ZZ1Wt9d268Q/gQGh6e-wGAAJ.

To use the certificate you have, you need to modify certificates.go and rebuild. It worked for me by importing crypto/rsa and crypto/ecdsa then modifying ParsePrivateKey (

apns2/certificate/certificate.go

Line 122 in eacc6af

func parsePrivateKey(bytes []byte) (crypto.PrivateKey, error) {

) to try using x509.ParsePKCS8PrivateKey like in the link above, not just PKCS1. I can make a pull request out of it, but try that for now.

Alternatively and easier you may be able to get the certificate file in the right form for ParsePKCS1PrivateKey through openssl, nothing I tried seemed to work so can't help you there.

[sideshow]

Hey @cenkbilgen , good find. A pull request would be awesome!
@roma86 Since you have the p12 certificate, you can also use this directly instead, without needing to converti it to a pem.
Use the certificate.FromP12File() instead of the certificate.FromPemFile() method.

[roma86]

@sideshow @cenkbilgen thanks

[sideshow]

@cenkbilgen thanks again for the info.
@roma86 i've pushed back a fix on a branch called fix-parse-private-key. Any chance you could check this with your .pem to confirm it fixes the issue. Thanks

[roma86]

@sideshow thank you. i will check it today and report you back.

[seenickcode]

Awesome thanks.

[credli]

@sideshow @seenickcode @roma86 @cenkbilgen this is to confirm that fix-parse-private-key is working for us in production mode.

[sideshow]

@credli Thanks for the info. Looks like i fixed your issue, but i was unable to decrypt @roma86 's private key, because if an issue with encrypted keys. Im looking at ways to resolve this hopefully without introducing another dependency

[c3mb0]

I am not sure if this is related or fixed already, but I had problems with certificates that include full chain info (4 nodes instead of 2) for both pem and p12. For pem, a workable solution is to trim the certificate with file io since it's plain text (take the first and last node). For p12, convert the certificate to pem via this command:

openssl pkcs12 -in certName.p12 -clcerts -nokeys -passin pass:yourpassword -out certName.pem && openssl pkcs12 -in certName.p12 -nocerts -nodes -passin pass:yourpassword | openssl rsa >> certName.pem

This ensures a 2 node pem is outputted, whether the p12 is 4 or 2 node.

[sideshow]

Closing this as better docs will be added as part of this issue #54