Building iOS store certificates on Windows

UPDATE Oct 2019: 2FA causes significant problems

How many times have you been working on a cross platform app and been ready to submit to the app stores, but then the Apple store needs a .csr that you should “use a Mac” to generate?

When I google this, I got lots of complicated methods using IIS to request certificates through a quite frankly terrible UI/UX, and most of the guides glossed over how to actually get that .p12 at the end you needed.

This is slightly unrelated to certificates, but the codeSignIdentity MUST be iPhone Developer regardless of production/development.

I’m sure some of those guides work, but I was sure it had to be easier than that. I found this post which does it all in four commands…A colleague pointed out that it’s from 2012 and is still relevant, but it works.

I’ll pull it out here in case the links break but this is all Ian Devlin’s work. I’m just replicating it.

  1. Install OpenSSL (Directly didn’t work for me, but it came installed with Cmder)

Now I’d recommend using wsl.

  1. Generate a key

        openssl genrsa -des3 -out ios.key 2048 // must be 2048
  2. Use key to generate Certificate Signing Request (CSR)

        openssl req -new -key ios.key -out <csrName>.csr -subj '/emailAddress=MY-EMAIL-ADDRESS, CN=COMPANY-NAME, C=COUNTRY-CODE'
    
        // Or if you have a config file (which replaces the passed in config above)
        openssl req -new -key ios.key -out <csrName>.csr -config config.txt
  3. Upload the .CSR to the portal which then gives you a .CER in return

  4. Convert .CER to a .P12 (Required to sign apps, or at least Cordova apps)

        openssl x509 -in ios_<development/distribution>.cer -inform DER -out <pemName>.pem -outform PEM
        // May need `-legacy` now as the cipher has changed.  e.g. `...-export -legacy -inkey...`
        openssl pkcs12 -export -inkey ios.key -in <pemName>.pem -out <p12Name>.p12
    
        // Or if you get a .crt that needs to be a .pfx
        openssl pkcs12 -export -inkey ios.key -in <crtName>.crt -out <pfxName>.pfx

That’s it! No more hunting for someone around the office with a Mac.

Update Aug 2020: If you do want to run things up on a Mac at some point, you’ll need those .CER and .P12 files to install into the keychain. The CER is the certificate, and the P12 is the private key.
Should just be able to double click them (CER first) and follow any prompts to get them into the keychain.

UPDATE Oct 2019
I had an issue where the only Apple ID in use by the client (and our CI pipeline) was upgraded with 2FA.
This caused the old ‘deploy to AppStores’ stuff to break, and apparently there are only two fixes at this time (without xcode):

According to the official documentation on the Microsoft Azure Devops ‘Deploy to Appstore’ task, 2FA shouldn’t be enabled on the CI Apple ID, and there should be one specifically for CI. This wasn’t an option for me at the time.