Pkpass generation fails after yearly signature renewal

I am generating the pkpass files via an AWS Lambda function. So far I have been using the certificate.pem, private.key and wwdr.pem certificates with wallet-3kpy(https://github.com/pretix/wallet-py3k) library. Now, after a year, the certificate needs to be renewed. So I went through the process of generating the .p12 file in order to extract the certificate.pem and private.key out of it. The wwdr.pem I did not touch. The generation of the pkpass now fails with DecryptFail messages from openssl. I have provided openssl11 to the lambda function via a dedicated lambda layer. And for the new pkpass I used a different openssl version. Could that be the reason?

It is possible that the key in your .p12 file doesn't match the certificate.

To check:

Extract the certificate and key (replace file.p12 with your .p12 filename).
:

openssl pkcs12 -in file.p12 -clcerts -nokeys -out certificate.pem
openssl pkcs12 -in file.p12 -nocerts -out privatekey.pem

Get the modulus for each:

openssl rsa -noout -modulus -in privately.pem | openssl md5
openssl x509 -modulus -noout -in certificate.pem | openssl md5

If they don't match, then you have the wrong key for your certificate.

I generated the private.key in the wrong way.

The correct 2 steps are:

1. Create the certificate.pem with the .p12 file via:

     openssl pkcs12 -in your_p12_file.p12 -out certificate.pem -nodes

2. Create the private.key out of the certificate.pem via:

    openssl rsa -in certificate.pem -out private.key

Together with the wwdr.pem (the apple certificate needs to be in .pem too), pkpass files can be signed via the wallet-py3k library.