I think I’ve solved it.
When creating certs per the instructions above, we got p12 cert files with the outdated RC2-40-CBC algorithm. We can determine this like so:
openssl pkcs12 -info -in files/Staging/Production.p12
The output included “Algorithm (RC2-40-CBC : 0)”.
I tried generating new certs in a way that got us the newer AES-256-CBC algorithm and this seems to work fine both in Node 16 and Node 18. This is how I did it.
aps.cer is the file I created via the wizard on the Apple Developer site. This converts it to from aps.cer to staging.pem.
openssl x509 -in aps.cer -inform DER -out staging.pem -outform PEM
Then I need the private key associated with the CSR. I found that in Keychain Access (under “Keys”, has the same name as I picked for the CSR, kind is “private key”) and exported it to a p12 without a password.
Then I converted it from p12 to pem like this:
openssl pkcs12 -in staging_priv.p12 -nocerts -out staging_priv.pem
I provided an empty “Import Password” (since I exported it without one) but provided a simple “PEM pass phrase” like “1234” since one was required. Now I have a staging_priv.pem.
And now (phew) I can create a staging.p12 file:
openssl pkcs12 -export -inkey staging_priv.pem -in staging.pem -out staging.p12
When asked for “pass phrase for staging_priv.pem”, I provided “1234” from above.
When asked for an “Export Password”, I provided the secret passphrase that we pass into the ParseServer push settings.