A script that will validate a P12 certificate/key pair with an iOS mobile provisioning profile.

mpverify.sh

#!/bin/sh

CERT=$1
PROFILE=$2

if [ ! -f "$CERT" ] || [ ! -f "$PROFILE" ]
then
  echo "Usage: mpverify.sh <cert p12> <profile>"
  exit
fi

openssl pkcs12 -in "$CERT" -out /tmp/tmpc$$.out -nodes > /dev/null 2> /dev/null

sed -e '1,/-----BEGIN CERTIFICATE-----/d' -e '/-----END CERTIFICATE-----/,$d' /tmp/tmpc$$.out | tr -d " \t" > /tmp/tmpc$$.val

security cms -D -i "$PROFILE" | plutil -extract DeveloperCertificates xml1 -o /tmp/tmpp$$.out - > /dev/null 2> /dev/null

sed -e '1,/<data>/d' -e '/<\/data>/,$d' /tmp/tmpp$$.out | tr -d " \t" > /tmp/tmpp$$.val

echo "-----BEGIN CERTIFICATE-----" >> /tmp/tmpp$$.pem
cat /tmp/tmpp$$.val >> /tmp/tmpp$$.pem
echo "-----END CERTIFICATE-----" >> /tmp/tmpp$$.pem
openssl x509 -in /tmp/tmpp$$.pem -noout -text > /tmp/tmpp$$-pem.out

echo "-----BEGIN CERTIFICATE-----" >> /tmp/tmpc$$.pem
cat /tmp/tmpc$$.val >> /tmp/tmpc$$.pem
echo "-----END CERTIFICATE-----" >> /tmp/tmpc$$.pem
openssl x509 -in /tmp/tmpc$$.pem -noout -text > /tmp/tmpc$$-pem.out

diff /tmp/tmpp$$-pem.out /tmp/tmpc$$-pem.out > /dev/null 2> /dev/null

if [ $? -eq 1 ]
then
  echo "\n!!!! Certificate doesn't match provisioning profile.\n"

  echo "Here is the mobile profile cert information:"
  grep "Subject: " /tmp/tmpp$$-pem.out | awk '{printf "\t" $0 "\n"}'
  grep "Serial Number" /tmp/tmpp$$-pem.out -A 1 | awk '{printf "\t" $0 " "; getline; gsub (/^ */, "", $0); print}'

  echo ""

  echo "Here is the signing cert information:"
  grep "Subject: " /tmp/tmpc$$-pem.out | awk '{printf "\t" $0 "\n"}'
  grep "Serial Number" /tmp/tmpc$$-pem.out -A 1 | awk '{printf "\t" $0 " "; getline; gsub (/^ */, "", $0); print}'
else
  echo "Certificate matchs provisioning profile."
fi

rm -f /tmp/tmpc$$.*
rm -f /tmp/tmpp$$.*