This is Part 2 of the iOS Code Signing tutorial series. This series covers the fundamentals of the iOS code signing process. You can find Part 1here.
In the previous post, we covered the basics of code signing, its benefits, and limitations. Now we will get started with code signing concepts. Let’s start with the Certificate Signing Request
, where all the code signing darkness starts. As you might know, we need development and distribution certificates to build and deploy an app to the App Store. Creating an iOS development certificate is the first step that every iOS developer needs to perform in order to start with iOS development. The process of creating the certificate starts with Certificate Signing Requests. In this post, we will cover the concept of the certificate signing request (CSR) and the process of requesting the certificate using CSR.
What Is CSR?
The certificate signing request, a.k.a CSR, is a message sent from an applicant to the certificate authority
in order to apply for the digital identity certificate. This uses Public Key Infrastructure
, policies to create, manage, and distribute the digital certificate. The process of creating a CSR is very standard in the PKI; the applicant has to generate the public and private key in the local machine. The applicant then attaches the public key with CSR along with details like email, country, etc. The applicant keeps the private key secret. The typical information required in the CSR includes CN (Common Name), Organization, Organization Unit, Country, and email address. The CSR contains the certificate request information, signature algorithm, and a digital signature of the requester to prevent requesting a bogus certificate.
Sending CSR to Apple
The Certificate Signing Request
(CSR) is the process of requesting the certificate from the Certificate Authority (CA), which is Apple, so that Apple can verify the details of who is requesting an issue of the developer certificate if the details are correct. The requests have to be created from a local macOS machine.
CSR From the GUI
The CSR can be generated using Keychain Access and Apple has some documentation here
, but in summary, here is what you have to do:
- From Spotlight, search Keychain Access.
- Choose Keychain Access > Certificate Assistant > Request a Certificate From a Certificate Authority.
- Fill in your details like email, name, and country. Basically, follow all the instructions on the screen.
- Select the options “Saved to disk.”
- Specify a filename and click Save.
- Click Continue and the Certificate Assistant creates a CSR and saves the file to your computer.
CSR From the Command Line
There is a way to create a CSR from the command line if you want to avoid the hassle of going through GUI. You can get your CSR by running a couple of quick commands. Just fill in your name, email address, and country.
$ openssl genrsa -out mykey.key 2048 $ openssl req -new -key mykey.key -out CertificateSigningRequest.certSigningRequest -subj "/[email protected], CN=Your Name Dev Key, C=GB"
At the end of this process, you should see the file with the weird name
on your local mac. This is the file which we need to upload to the Apple Developer portal while generating certificates for development and distribution. We will cover certificates later in this article.
Now that we have our CSR on our local machine. Let’s see what had happened under the hood when we created CSR. There are few things.
- While creating CSR, the public/private key pair is generated under the hood.
- The public key is attached to your CSR.
- The private key is kept inside your local machine.
If you are interested in learning more about Public/Private keys and how it works in general, then there is a term called Asymmetric Cryptography
that you can read, but in general, the public key is for sharing in public and the private key is private to you. You shouldn’t share it with anyone.
Let’s find out what’s inside the CSR. Run this command from your terminal, which will display some of the basic information about what you put inside the CSR:
$ openssl asn1parse -i -in CertificateSigningRequest.certSigningRequest
If you want to see a textual representation of the CSR, then you can see Public Key Algorithm: rsaEncryption as well as Signature Algorithm: sha256WithRSAEncryption by using this command:
$ openssl req -text -noout -in CertificateSigningRequest.certSigningRequest
The key pair generated has RSA(20148) bit and the public key is attached with CSR. The private key is being used for actual signing so we have to keep it secret. It’s not a good idea to generate CSR from multiple macOS, as the key pair generated on one mac cannot be present on another mac. It’s good to use one mac to generate CSR until we create the certificate in P12 format.
Now we have seen how to create Certificate Signing Requests both from Keychain Access and using the command line. In the next post, we will cover details of the Certificates required the form that iOS Development and distribution.
Stay tuned for Part 3!