iOS Question invalid CSR

Daniel Katunar

New Member
Licensed User
Hi
Today I had issues for generating a certificate in the Apple Enterprise Developer Program.

I followed all the steps in the right way but I am getting the error message: “Invalid CSR, Select a valid Certificate Signing Request “ .

I did generate many certificates with this and other accounts in the past without any problem. Also I had the same error message below using a CSR file created in the past. This old CSR file worked in the past and now not.

I called Apple to figure out if they made any change and the answer was NO changes at all.
They suggest referring to you as third part to try to figure out if you had some change because you send me an update of the software week ago,

So please I will looking forward to get your answer at your earliest convenience.

Thank you very much
 

llama

Member
Licensed User
Hi , as a new user I am also getting invalid CSR .

I created the private sign key, followed the instructions to create the ios Developer Certificate, went to upload and it came back with Invalid CSR, Select a valid Certificate Signing Request “

Thanks for assistance on this

Regards
Chris
 

sorex

Expert
Licensed User
be happy that you could open the certificate page. I'm only getting a page cannot be found error for the last 2 or 3 hours while all the other pages work fine.
 

netkomm

Active Member
Licensed User
same problem here.

I suspect the issue is with the new certificates Apple issued (their new WWDR certificates expired on 14th Feb this year) so, my guess is that this is the issue.

I tried to generate the certs using the Mac (I have already updated the WWDR certificate on my mac) but for whatever reason are unusable on the remote compiler (my mac mini got fried so no chance to use local compilation)

https://developer.apple.com/support/certificates/expiration/
 

llama

Member
Licensed User
Ok guys I have found the solution, only if you have a MAC. I had to request a new signing certificate in members centre on the PC, you are right about the WWDR certificates, so what I did was use a mac to generate the Deverloprt Certificate and copy files from MAC into B4i

in B4i you create a .csr file but that .csr file was not being recognised by apple, but also B4i creates B4i.p12 files when you create a private sign key.

Solution for me

On a mac if you create the .csr file using the "Keychain Access" Keychain Access -> Certificate Assistand -> Request a Certificate from a certificate Authority
This create a .csr file.

You use that .csr files in the members centre to create a new development certificate you must copy the .cer that is created into the keys folder in B4i, but on your mac you must also export the .p12 file and put that in the B4i keys folder and rename it B4i.p12 that seemed to work for me.

Hope this helps, I think the key when you do this from you mac and I appreciate not everyone has a Mac, is the .p12 file, that is essential to sign the app
 

sorex

Expert
Licensed User
great that you solved your issue, @llama .

Unfortunately I need to rely on that site to continue and it's still down. Nice service.
 

sorex

Expert
Licensed User
I'm having the same issue with B4i's csr file not being accepted.

When uploading the file it gives an

Invalid CSR
Select a valid Certificate Signing Request.

error.

It appears that they changed some stuff since the last days.
 

netkomm

Active Member
Licensed User
Ok guys I have found the solution, only if you have a MAC. I had to request a new signing certificate in members centre on the PC, you are right about the WWDR certificates, so what I did was use a mac to generate the Deverloprt Certificate and copy files from MAC into B4i

in B4i you create a .csr file but that .csr file was not being recognised by apple, but also B4i creates B4i.p12 files when you create a private sign key.

Solution for me

On a mac if you create the .csr file using the "Keychain Access" Keychain Access -> Certificate Assistand -> Request a Certificate from a certificate Authority
This create a .csr file.

You use that .csr files in the members centre to create a new development certificate you must copy the .cer that is created into the keys folder in B4i, but on your mac you must also export the .p12 file and put that in the B4i keys folder and rename it B4i.p12 that seemed to work for me.

Hope this helps, I think the key when you do this from you mac and I appreciate not everyone has a Mac, is the .p12 file, that is essential to sign the app
Thanks Llama,

this solves the problem partially. However - if you are using notifications it seems that you will face problems later on when you create the PEM file for the server. Not sure if this is related to the original issue, but while the app is able to be install and work some features depending on certificates cannot be fully functional yet.
 

llama

Member
Licensed User
Thanks Llama,

this solves the problem partially. However - if you are using notifications it seems that you will face problems later on when you create the PEM file for the server. Not sure if this is related to the original issue, but while the app is able to be install and work some features depending on certificates cannot be fully functional yet.

Yes @sorex mentioned you need to install https://developer.apple.com/certificationauthority/AppleWWDRCA.cer on your PC from this Link https://developer.apple.com/support/certificates/expiration/
 

Erel

Administrator
Staff member
Licensed User
1. Download and install OpenSSL: https://slproweb.com/products/Win32OpenSSL.html
Make sure to follow the two links that appear during the installation dialog.
Install it to C:\OpenSSL-Win32 (or a similar folder).

2. Open a command window in the keys folder. You can do it by pressing on Shift + right click:



3. Run these three commands (change 123456 with the correct password):
B4X:
set OPENSSL_CONF=c:\OpenSSL-Win32\bin\openssl.cfg
B4X:
c:\OpenSSL-Win32\bin\openssl.exe pkcs12 -in B4i.p12 -out B4i.pem -nodes -passin pass:123456
B4X:
c:\OpenSSL-Win32\bin\openssl req -new -key B4i.pem -out certSigningRequest.csr -subj "/CN=UNKNOWN, C=UNKNOWN"
It should now work.
 
Last edited:

netkomm

Active Member
Licensed User
As a temporary solution please follow these instructions:

1. Download and install OpenSSL: https://slproweb.com/products/Win32OpenSSL.html
Make sure to follow the two links that appear during the installation dialog.
Install it to C:\OpenSSL-Win32 (or a similar folder).

2. Open a command window in the keys folder. You can do it by pressing on Shift + right click:



3. Run these two commands (change 123456 with the correct password):
B4X:
c:\OpenSSL-Win32\bin\openssl.exe pkcs12 -in B4i.p12 -out B4i.pem -nodes -passin pass:123456
B4X:
c:\OpenSSL-Win32\bin\openssl req -new -key B4i.pem -out certSigningRequest.csr -subj "/CN=UNKNOWN, C=UNKNOWN"
It should now work.
Hi Erel, your snippet relates to the .pem file, am I right?

We still need the MAC to create a CSR file to submit to Apple since the one that B4i generates is still invalid (even after installing the new Apple certificate on my PC)
 

netkomm

Active Member
Licensed User
In order to recap - the whole process I follow (and where I stumble...) I am editing it as we go along. Please feel free to interject so that we can solve this issue once and for all.

Step 1) Updated the Apple Certificate on PC and MAC with the new one and rebooted (just in case!);

Step 2) Create a new project on B4i;

Step 3) Create a new "Sign Key" : insert First Name and Last Name, copy the same data into Organization, enter the country code and set the password. The files B4i.p12, B4i.keystore and certSigningRequest.csr are created in the KEYS folder;

Step 4) I log into Apple Developer Area and create the Developer Certificate. I upload the certSigningRequest.csr generated by B4i and I get this error

p1.PNG

at this point if I had only a PC, I would be stuck at this point.
I try to solve the empasse turning on my MAC in order to create a CSR compliant with Apple.

ON MAC:

Step 5) Open "Keychain Access" and select the option Certificate Assistant >> Request a Certificate From a Certificate Authority

Step 6)
Enter the (same) email in the User Email Field and the (same) name in Common Name. Select the option "Saved To Disk" : the CSR file named CertificateSigningRequest.certSigningRequest is generated and I saved in the B4i folder

(...continue later...)
 

sorex

Expert
Licensed User
I confirm that this workaround is working :)

if you get the warning in step 1 > WARNING: can't open config file: /usr/local/ssl/openssl.cnf

enter this command first

set OPENSSL_CONF=c:\OpenSSL-Win32\bin\openssl.cfg
 

sorex

Expert
Licensed User
I don't know if it is related to this issue but I recreated the certificates and fixed provisioning files.

The bridge compiled and installed just fine on both iphone and borrowed ipad.

but when I run my program it works fine on the iphone but it fails with a class not found error on the ipad.
the "wrong version of debug found" at the bottom or the error is not always there tho.

I had this before and the cleaning solved it then but now it doesn't.

the ipad also doesn't give this install app notification, I don't know if that's normal or not but it seems to run it.

B4X:
Error occurred on line: 8 (Main)
Class not found: b4i_binarypuzzle_game
Stack Trace: (
  CoreFoundation       <redacted> + 150
  libobjc.A.dylib      objc_exception_throw + 38
  CoreFoundation       <redacted> + 0
  Bridge               -[B4IShell createObject:] + 206
  Bridge               -[B4IShell raiseEventImpl:method:args::] + 2062
  Bridge               -[B4IShellBI raiseEvent:event:params:] + 1442
  Bridge               -[B4IStaticModule initializeModule] + 530
  Bridge               -[b4i_main initializeStaticModules] + 88
  Bridge               -[B4IShellBI raiseEvent:event:params:] + 230
  Bridge               __33-[B4I raiseUIEvent:event:params:]_block_invoke + 74
libdispatch.dylib    <redacted> + 10
libdispatch.dylib    <redacted> + 22
libdispatch.dylib    _dispatch_main_queue_callback_4CF + 1532
CoreFoundation       <redacted> + 8
CoreFoundation       <redacted> + 1590
CoreFoundation       CFRunLoopRunSpecific + 516
CoreFoundation       CFRunLoopRunInMode + 108
GraphicsServices     GSEventRunModal + 160
UIKit                UIApplicationMain + 144
Bridge               main + 108
libdyld.dylib        <redacted> + 2
)
An error occurred:
(Line: 0) 0
java.lang.RuntimeException: Wrong version of debug app started.

Press on Tools - Clean project to reinstall the app.
 

sorex

Expert
Licensed User
bizarre, I don't see an icon for the installed app so I don't think it installed anything at all.

the bridge screen goes away when I compile in debug mode but gets focus again when that error occurs.
 

sorex

Expert
Licensed User
I had this black bogus B4i Bridge icon and a working Bridge icon.

I could not remove the black one but when I clicked on it it installed the bridge again and the other bridge icon is gone and the app one suddenly appears.

The app is also working now.

Edit: yelled too soon, it worked once. now I get that error again

Edit2:
solved! removed the bridge (was just a blue icon) and reinstalled ca.pem & the bridge.

now it has the right icon and the app compiles'n runs.
 
Last edited:
Top