I am generating the pkpass files via an AWS Lambda function. So far I have been using the certificate.pem, private.key and wwdr.pem certificates with wallet-3kpy(https://github.com/pretix/wallet-py3k) library. Now, after a year, the certificate needs to be renewed. So I went through the process of generating the .p12 file in order to extract the certificate.pem and private.key out of it. The wwdr.pem I did not touch. The generation of the pkpass now fails with DecryptFail messages from openssl. I have provided openssl11 to the lambda function via a dedicated lambda layer. And for the new pkpass I used a different openssl version. Could that be the reason?
Asked
Active
Viewed 44 times
0
-
I found the solution and commented it below. – YuKa Jun 05 '23 at 19:35
2 Answers
1
It is possible that the key in your .p12 file doesn't match the certificate.
To check:
Extract the certificate and key (replace file.p12 with your .p12 filename). :
openssl pkcs12 -in file.p12 -clcerts -nokeys -out certificate.pem
openssl pkcs12 -in file.p12 -nocerts -out privatekey.pem
Get the modulus for each:
openssl rsa -noout -modulus -in privately.pem | openssl md5
openssl x509 -modulus -noout -in certificate.pem | openssl md5
If they don't match, then you have the wrong key for your certificate.
PassKit
- 12,231
- 5
- 57
- 75
0
I generated the private.key in the wrong way.
The correct 2 steps are:
- Create the certificate.pem with the .p12 file via:
openssl pkcs12 -in your_p12_file.p12 -out certificate.pem -nodes
- Create the private.key out of the certificate.pem via:
openssl rsa -in certificate.pem -out private.key
Together with the wwdr.pem (the apple certificate needs to be in .pem too), pkpass files can be signed via the wallet-py3k library.
YuKa
- 45
- 5