usr\bin directory to your system PATH environment variable (via SystemPropertiesAdvanced.exe), so in my case I needed to add C:\Program Files\Git\usr\bin, then close all shells (cmd, PowerShell), reopen and openssl should be accessible anywhere.Create a private key, and store it somewhere secure and safe:
openssl genrsa -out ios_distribution0524.key 2048
Generate a CSR using that private key, using the below command (replace email as necessary, make sure it’s a valid user on your Developer account):
openssl req -new -key ios_distribution0524.key -out ios_distribution0524.csr -subj "/emailAddress=<EMAILHERE>, CN=<COMPANYNAMEHERE>, C=GB"
Revoke the old certificate in https://developer.apple.com/account/resources/certificates
Click the + symbol, click iOS Distribution, no services, and download the resulting certificate.
Copy it to wherever you were using OpenSSL, and run the below to convert it to PEM:
openssl x509 -in ios_distribution.cer -inform DER -out ios_distribution0524.pem -outform PEM
Run the below to combine them into a pkcs12 file (more or less a .pfx file - very minor differences in some cases):
openssl pkcs12 -export -inkey ios_distribution0524.key -in ios_distribution0524.pem -out ios_distribution0524.p12 -passout pass:<ENTERPASSWORDHERE>
HOWEVER, as of May 2024, macOS images in DevOps pipelines are using an old version of OpenSSL, so you need to make sure you use -legacy to export the p12:
openssl pkcs12 -export -legacy -inkey ios_distribution0524.key -in ios_distribution0524.pem -out ios_distribution0524.p12 -passout pass:<ENTERPASSWORDHERE>