SEPTEMBER

04

The Methods On How To Generate CSR File

If you don’t know how to generate CSR file, we will help you how to do it correctly. Because it is very important to do it right, as this can influence on the whole Apple GSX certification process. It is also important to know how to use GSX certificate and fix issues that you can face with. But before that you need to generate a CSR file. There are many methods to do it.

Important: Key pair must be unique for each CSR file submitted to Apple company.

how to generate CSR file

How Do I Generate A CSR File? (All Possible Ways)

1. Utilizing OpenSSL:

The openssl application command line can be utilized to create CSR (certificate signed request)and for the public/private key pair generation.

1.1 Key Pair Generation

Command:

openssl genrsa -aes256 -out privatekey.pem 2048

During this command proceeding, as the security option, you will be asked to insert the pass phrase. Remember that it will be your secure pass phrase (like a password) and don’t not share it with any person.

1.2 CSR Generation

Command:

openssl req -new -sha256 -key privatekey.pem -out certreq.csr

Once you running this command, please follow the guide and insert the details being requested.

1.3 PKCS#12 File Creation (this is optional step)

Command:

openssl pkcs12 -inkey privatekey.pem -in cert.pem -aes256 -export -out cert.p12

Pay attention that cert.pem is the certificate which you will receive from Apple company.

1.4 Delete Private Key from a PKCS#12 File (this is optional step). As noted this is optional step that allows you to utilize this command to erase a private key from a PKCS#12 file from step 1.3.

Command:

openssl pkcs12 -aes256 -nocerts -in cert.p12 -out privatekey.pem

2. Utilizing OpenSSL (on Windows):

2.1 First you need to download and install OpenSSL. During installation process please remember the path (C:\OpenSSL-Win32)

2.2 Now you please create a folder in location like C:\OpenSSL

2.3 Next launch command prompt[cmd] and do the command that is given below.

set OPENSSL_CONF=c:\OpenSSL-Win32\bin\openssl.cfg

2.4 Now will be generating your Certificate request (CSR), specifying a SHA256 signature hash. Launch the below command.

[point in to the OpenSSL installation folder\bin (C:\OpenSSL-Win32\bin)]
openssl req -nodes -sha256 -newkey rsa:2048 -keyout C:\OpenSSL\PrivateKey.key -out C:\OpenSSL\CertificateRequest.csr

2.5 After that you will be asked to fill the required information into few certificate fields, please do it while fields come up.

2.6 In result you will get two generated files:

a) PrivateKey.key (this is the un-encrypted version of your private key. – please protect this file, as any person who will get it together with your signed public key at any time can easily impersonate you)

b) CertificateRequest.csr (it is your certificate signing request, that is not sensitive at all). Exactly this file you will put to email and send to Apple company.

3. Using Java Keytool:

This section targets the Java Key Store certificate store.

3.1 Key Pair Generation

Command:

keytool -genkeypair -alias mycert -keyalg RSA -keysize 2048 -keystore keystore.jks

Once you enter this command, please follow all the instructions that will be given to you. The detailed description you can find below.

3.2 CSR Generation

Generate the next command:

keytool -certreq -alias mycert -file certreq.csr -sigalg SHA256withRSA -keystore keystore.jks

3.3 Importing Issued Certificate

Command:

keytool -import -trustcacerts -alias mycert -file mycert.pem -keystore keystore.jks

There were all possible ways on how to generate CSR file.

The next question that we should investigate in details is: What instructions you should follow when generating the CSR?

Please read the next important tips that you will need to know for CSR generation.

  • For all questions that are related to org name please insert your organizations’s details but not Apple.
  • You can generate CSR file either in host or in any computer. It doesn’t depend what it is.
  • You can develop CSR either with DES or AES. DES is less secure.
  • Note that if a parnters is utilizing multiple servers, only you will need only one certificate which is generated by one CSR.
  • There are no obligations that the IP that you use while generate CSR, should be identical to the IP Address whitelisted.

Just after you will enter the command for generating CSR, please follow the steps on the prompt. One of the fields that will be asked to enter is “Common Name (e.g. server FQDN or YOUR name) ” . As the FQDN is a very important field please make sure that you enter the following:

  • For test environment CSR :
Applecare-APP157-[SoldTo ID].Test.apple.com
  • For production environment CSR :
Applecare-APP157-[SoldTo ID].Prod.apple.com

Here is the example, described in details for right understanding:

if your soldTo is 0000012345, the value should be Applecare-APP157-0000012345.Test.apple.com for test and Applecare-APP157-0000012345.prod.apple.com for production.

The leading zero’s are really important for the process to proceed and note that the soldTo should always be 10 digits.

During generation CSR file process for private aim you will be asked to enter the pass phrase. This pass phrase is the phrase that you have inserted in 1st step.

Remember that certreq.csr file will be created in that folder where you opened all these commands. You need to send a mail with this csr file to Apple company in order to get a client certificate.