Apple Wallet Pass Series (Part 1): Navigating Certificate Generation

Before you start on issuing Apple Wallet Cards, you need to pay the customary Apple Tax, or as they call it "sign up for an apple developer account"

Apple Developer Account (99$ USD), you can learn more about the account details here and you can sign up for an account here.

To generate your apple pass you will need three things:

1. Signer Certificate

2. Signer Certificate Key

3. WWDR (Apple WorldWide Developer Relations) G4 Certificate (visit Apple PKI Portal to download it)

The following is how you get the Signer Certificate and the Signer Certificate Key.

1. After signing up and agreeing to their terms of service you can jump to their "Certificates, Identifiers & Profiles" page at this link. In this page you put in a value for a description ( this is only for your use so put in something useful) and a Identifier, the identifier should usually follow a reverse domain name style so pass.com.YOURDOMAIN.SOMESUBDOMAIN. Save this identifier as you will need it later for you the pass.json

2. Click the "Register" button on the following page.

3. Now you should see a page with a list of identifiers, you can either look for the pass you just registered or search in the search button or filter by Pass Type IDS and look for it, once you find it click on it.

4. You should see a page which has a button for "Create Certificate" click on it and then just keep that page open while you complete the generation of your signing certificates

5. Open your terminal and generate your private key. This will be your signerKey in the next steps (make a copy of it and paste it in your finilzed files list)

# If you want to set it as a passphrase, add "-passout pass:<your-passphrase>" before "2048".
# If you follow the passphrase way, you'll have to set a "-passin pass:<your-passphrase>" (or insert it manually)
# in the next commands and, once done, set it to passkit-generator at `signerKeyPassphrase`.
 
$ openssl genrsa -out <your-key-name>.key 2048

6. Generate a CSR using your private key. The final file should have a .csr extension. You'll be prompted to insert a few pieces of information one per prompt. Continue reading.

$ openssl req -new -key signerCertificateKey.key -out request.certSigningRequest

7. In the required information, you'll have to fill it out, you can also just press enter to skip them all. After the email address, you won't need any further information. So press Enter until you the end.

Country Name (2-letter code) [AU]: SA
State or Province Name [Some-State]: Saudi Arabia
Locality Name []:
Organization Name [Internet Widgits Pty Ltd]:
Organizational Unit Name []: 
Common Name []: 
Email Address []: your-email

8. Take the generated file request.certSigningRequest and upload it to the provisioning portal at step 4 (you can fill out the pass certificate name however you want). Once processed, you'll be able to download a certificate like pass.cer. At this point also noted down the passTypeIdentifier and teamIdentifier you have, the passTypeIdentifier is what you initally input, the teamIdentifier can be found at the top right hand corner of the page where you download the certificate.

9. At this stage I would recommend you create a folder for the finalized files you will be using to store them in and then you can get rid of the intermediary files)

10. Once downloaded the certificate, you'll have to convert it to .pem (from a DER-encoded to PEM Base64 encoded). Save the result somewhere safe. You'll be using it in your application as signerCertificate.pem, this file should be save in the finalized folder. This will be the signer certificate key we will be using.

$ openssl x509 -inform DER -outform PEM -in pass.cer -out signerCertificate.pem

11. Take the WWDR Certificate you downloaded earlier and convert it to a .pem base64 by repeating step 8. You'll be using it in your application for the key wwdr. Save the result somewhere safe.

$ openssl x509 -inform DER -outform PEM -in <cert name>.cer -out wwdr.pem

12. Save the outputed wwdr.pem into the finalized files folder.