Question

[marcingorzan]

Hi,

Im implementing prity much same functionality. I straggling a bit with generating correct certificate for merchant validation. Can you help a little on how to generating pfx having .cer and .certSingingRequest ?

[martincostello]

You can use OpenSSL to do this.

I found some instructions here, where your CER file is the public key and your CSR is your private key.

If you have a fairly recent version of Windows 10, it can be easier to use Windows Subsystem for Linux (WSL) to generate it from bash rather than trying to get OpenSSL installed and working with Windows.

[marcingorzan]

Thank you for your quick answer and for your time. I think i miss some thing on the way.

So i got merchant_id.cer file i got xxx.CertSigningRequest I also generated the .p12 private key and .pem public key on mac where i was creating the request file. (as in documented here https://docs.ptf.radial.com/Content/Topics/payments/apple-pay-web.htm)

Now i get all of those file into my widows and trying to run openssl commands to generate pfx

I think i missign this step: Find the private key file (xxx.key) (previously generated along with the CSR).

Itried to run the commend using CSR as key

C:\>c:\OpenSSL-Win64\bin\openssl.exe pkcs12 -inkey C:\cert\umbrella-request.cert
SigningRequest -in C:\cert\merchant_id.cer -export -out C:\cert\umbrella-merchan
t-identify_pfx.pfx
unable to load private key
7512:error:0906D06C:PEM routines:PEM_read_bio:no start line:.\crypto\pem\pem_lib
.c:707:Expecting: ANY PRIVATE KEY

C:\>c:\OpenSSL-Win64\bin\openssl.exe pkcs12 -inkey C:\cert\umbrella-merchant-req
uest-private.p12 -in C:\cert\merchant_id.cer -export -out C:\cert\umbrella-merch
ant-identify_pfx.pfx

unable to load private key
12144:error:0906D06C:PEM routines:PEM_read_bio:no start line:.\crypto\pem\pem_li
b.c:707:Expecting: ANY PRIVATE KEY

Is it ok to use .certSigningRequest directly in the command? Is this should be a regenerated as .key (the extension should not have much to do since its a text ... )? Do i need to do it on the same machine as the request was created (MAC in this case?). Should i add the certificate on the machine im trying to make a conversion? Im bit confused here.

[martincostello]

Despite the file extension, I think a .certSigningRequest file is effectively a .key file for this purpose.

It was over a year ago since I did this myself, but if I recall correctly I think I put the merchant validation certificate and the original CSR into keychain and exported everything from there on the Mac, then used those files to generate the .pfx with OpenSSL on Windows.

[marcingorzan]

Hi, I finnally mange to do this. I needed to import cer to Personal certificate on my window machine then export it as out.p7b

Then create a pem file from it openssl pkcs7 -in out.p7b -inform DER -out result.pem -print_certs

then from .p12 file i get from MAC cert export i extracted a key

openssl pkcs12 -in umbrella-merchant-identify.p12 -nocerts -out privateKey.pem
openssl rsa -in privateKey.pem -out newPrivateKey.pem

And finally generated the the pfx.

openssl pkcs12 -export -inkey newPrivateKey.pem -in result.pem -name umbrella-merchant-identify -out final_result.pfx

[martincostello]

Glad to hear you've gotten it working. I might update the README at some point soon to give some pointers for how to do this for other people.

[honey6611]

marcingorzan : I am trying to get apple pay on our website but struggling with the sending client certificate to apple in the request. I was wondering if you have managed to achieve this. I need some help if possible.

Thanks

[cacothi]

hey @honey6611 I'm having this issue at the moment.

I've generated the PEM file using the EXPORT method in Keychain (Mac)

I'm getting the following errror: error:0906D06C:PEM routines:PEM_read_bio:no start line

Any idea?