iOS Code Signing: 2. Certificate Signing Requests
iOS Code Signing Tutorials
This is Part-2 of the iOS Code Signing tutorial series. This series covers fundamentals of the iOS code signing process. You can find all the posts in the series linked below
- iOS Code Signing: 1. Getting Started
- iOS Code Signing: 2. Certificate Signing Requests
- iOS Code Signing: 3. Certificates
- iOS Code Signing: 4. Provisioning Profiles
- iOS Code Signing: 5. Signing iOS App
iOS Code Signing: Certificate Signing Requests
In the previous post, we have covered the basics of code signing, it’s benefits and limitation. Now we will get started with code signing concepts. Let’s start with Certificate Signing Request from where all the code signing darkness starts. As you might know that we need a development and distribution certificates to build and deploy an app to app store. Creating an iOS development certificate is the first step that every iOS developer needs to perform in order to start with iOS development. The process of creating the certificate starts with Certificate Signing Requests, In this post, we will cover the concept of certificate signing request (CSR) and the process of requesting the certificate using CSR.
What is CSR
The Certificate signing request a.k.a CSR is a message sent from an applicant to certificate authority in order to apply for the digital identity certificate. This uses Public Key Infrastructure which is policies to create, manage an distribute the digital certificate. The process of creating a CSR is very standard in the PKI, the applicant has to generate the public and private key in the local machine. The applicant then attaches the public key with CSR along with own details like email, county etc. Applicant keeps the private key secret. The typical information required in the CSR includes CN (Common Name), Organisation, Organisation Unit, Country, email address. The CSR contains certificate request information, signature algorithm and a digital signature of the requester to prevent requesting the bogus certificate.
Sending CSR to Apple
The Certificate Signing Request (CSR) which is the process of requesting the certificate from Certificate Authority (CA) which is Apple so that Apple can verify the details who is requesting an issue the developer certificate if the details are correct. The requests have to be created from local macOS machine.
CSR from GUI
The CSR can be generated using Keychain Access and Apple has some documentation here, but in a summary here is what you have to do
- From Spotlight, Search Keychain Access
- Choose Keychain Access > Certificate Assistant > Request a Certificate From a Certificate Authority.
- Fill in your details like email, name and country. Basically, follow all the instructions on the screen.
- Select the options “Saved to disk”
- Specify a filename and click Save.
- Click Continue and the Certificate Assistant creates a CSR and saves the file to your computer.
CSR From Command Line
There is a way to create a CSR from the command line if you want to avoid the hassle of going through GUI. You can get your CSR by running a couple of quick commands. Just fill your name, email address and country.
$ openssl genrsa -out mykey.key 2048
$ openssl req -new -key mykey.key -out CertificateSigningRequest.certSigningRequest -subj "/emailAddress=yourAddress@example.com, CN=Your Name Dev Key, C=GB"
At the end of this process, you should see the file with weird name as CertificateSigningRequest.certSigningRequest on your local mac. This is the file which we need to upload to Apple Developer portal while generating certificates for development and distribution. We will cover certificates later in this article.
Now that, we have our CSR on our local machine. Let’s see what had happened under the hood when we created CSR. There are few things.
- While creating CSR, the public/private key pair is generated under the hood.
- The public key is attached to your CSR
- The private key is kept inside your local machine.
If you are interested to know more about Public/Private key and how it works in general then there is a term called Asymmetric Cryptography that you can read but in general, the public key is for sharing in public and the private key is private to you. You shouldn’t share it with anyone.
Let’s find out whats inside the CSR. Run this command from your terminal which will display some of the basic information about what you put inside the CSR.
$ openssl asn1parse -i -in CertificateSigningRequest.certSigningRequest
if you want to see textual, representation of the CSR then you can see Public Key Algorithm: rsaEncryption as well Signature Algorithm: sha256WithRSAEncryption by using this command.
$ openssl req -text -noout -in CertificateSigningRequest.certSigningRequest
The key pair generated by has RSA(20148) bit and the public key is attached with CSR. The private key is being used for actual signing so we have to keep it secret. It’s not a good idea to generating CSR from multiple macOS as they key pair generated on one mac cannot be present on other mac. Good to use one mac to generate CSR until we create the certificate in P12 format.
Now that, we have seen that how to create Certificate Signing Requests both from Keychain Access and using the command line. In the next post, we will cover details of the Certificates required the form that iOS Development and distribution.