Chapter 2. App IDs, Keys, and Certificates

The ultimate goal of the iOS build and release process is distribution of your app. Distribution includes installing an app onto an iOS device after compiling in Xcode, or packaging your app into a binary so that someone else can install it onto their device using iPhone Configuration Utility, iTunes, or an internal website (all forms of Ad Hoc Distribution). Distribution also includes the process of signing and packaging your app so that it can be submitted to the App Store (this process is appropriately titled “App Store Distribution”).

To load an app onto an iOS device, it must first be signed by either a Development or Distribution Certificate. To sign an app, Xcode accesses the certificate within the keychain through a Provisioning Profile. Prior to creating a Provisioning Profile, you must first have your certificate(s) in place, your application identifier (App ID) set up, and at least one iOS device added to your “Devices List” on the iOS Provisioning Portal website. In this chapter, we are going to focus on the creation of the App ID and the setup of the Development and Distribution Certificates; adding devices to your Devices List and creating Provisioning Profiles will be covered in Chapter 3.

If you already have an active iOS Xcode project (or have inherited one), the information in this chapter can be used to help you understand an existing App ID, or guide you through the initial creation of an App ID. We’ll also go over scenarios that may lead you to decide to migrate to a new App ID, so that your app can be configured for a feature such as Apple Push Notification Service, or iCloud.

My goal is to save you time, particularly with the tasks covered in this chapter and the next. The steps detailed in this chapter will walk you through the proper setup of your Development and Distribution Certificates in order to avoid code signing errors during the build and distribution process.

App IDs

What is an App ID? Pragmatically speaking, an App ID is a globally unique identifier for an iOS application that is created by a Team Admin or Team Agent within the iOS Provisioning Portal. It is used to identify your app(s) within Apple’s system. You will need to create an App ID in order to deploy your app to an iOS device. App IDs cannot be removed once they are created.

The App ID is unique throughout the Apple system and has the format 'Bundle_Seed_ID.Bundle_ID' where Bundle Seed ID is the 10-character (Team or Individual) account ID for your iOS Developer Program and Bundle ID is what you arbitrarily define when creating the App ID. You may have an existing, older App ID that has a randomly generated Bundle Seed ID in place of your account ID, however all new Bundle Seed IDs will be based on your account ID, which you can find in the Member Center section of the iOS Provisioning Portal (navigate to Your Account Account Summary).

Everything following the period after the Bundle Seed ID is the Bundle ID, which is entered by you at creation time. For a Bundle ID, you can use any string of alphanumeric characters you like, but best practice is to use a reverse-domain name style convention such as 'com.acme.FinancialPlanner' or 'com.utilities.*‘. As these examples show, an App ID can either be fully specified (“explicit”), or contain an asterisk (*) as a wildcard character. The wildcard character in your Bundle ID is commonly used when you will be sharing the same Provisioning Profile to access the keychain across multiple apps. Another benefit of using a wildcard App ID is that you can use a single App ID to develop multiple apps. For example, you could create a wildcard App ID such as 3H569L2349.casino.*, and use it to develop 3H569L2349.casino.roulette and 3H569L2349.casino.blackjack. These would be two different Xcode projects, and you would input casino.roulette and casino.blackjack as the respective Bundle identifiers within the target settings for your Xcode project (see App ID Setup). If you use using the wildcard character, it must be the last character in the App ID.

App IDs without the wildcard character (explicit App IDs) can be used to develop only a single app. For an explicit App ID such as 3H569L9349.com.acme.FinancialPlanner, you would input com.acme.FinancialPlanner as the Bundle identifier in Xcode (see Table 2-1 for examples).

Table 2-1. Different types of App IDs and how they are used
TypeApp IDBundle Seed ID or Team IDBundle ID
Explicit3H569L9349.com.acme.FinancialPlanner3H569L9349com.acme.FinancialPlanner
 7L2O9A2384.pokertournament7L2O9A2384pokertournament
Wildcard4B587C2146.*4B587C2146flyswatter
 AW4MH6TPFX.com.acme.*AW4MH6TPFXcom.acme.mortgageCalc
 PSQV8VS4PW.com.tomdeveloper.*PSQV8VS4PWcom.tomdeveloper.fastcars

Creating an App ID

You have a choice when creating an App ID; to use a Bundle ID with a wildcard character or an explicit Bundle ID. Be aware, for planning purposes, that using a wildcard App ID means that the following services cannot be configured for your app: Apple Push Notification Service, In App Purchase, Game Center, Data Protection, Passes, and iCloud. These services have to be enabled (and possibly configured) for each explicit App ID, which is done within the App IDs section of the iOS Provisioning Portal. For more information, see Chapter 4.

To create a new App ID, log in to the iOS Dev Center and go to the iOS Provisioning Portal. Follow these steps (see Figure 2-1):

  1. Go to the App IDs section and select the Manage tab. Press the New App ID button.

  2. For the Create App ID interface, fill in the following fields and press Submit when done:

    Description

    Enter a brief description of the App ID you are creating. Only alphabet characters or numbers are allowed.

    Bundle Seed ID

    Select “Use Team ID”.

    Bundle Identifier

    Enter a Bundle ID.

Creating a new App ID
Figure 2-1. Creating a new App ID

Now that your App ID is created, you can associate it with both Development and Distribution Provisioning Profiles (see Development and Distribution Provisioning Profiles). However, in order to create a Provisioning Profile, you will first need a valid certificate, which is what we are going to cover for the remainder of this chapter.

Migrating from a Wildcard to an Explicit App ID

At some point you may wish to switch from an App ID that utilizes a wildcard character to an explicit App ID. To do this, you will have to create a new explicit App ID that matches the current “Bundle identifier” setting for your app’s target setting within your Xcode project. Additionally, you will need to modify your existing Provisioning Profiles (or create new ones) within the iOS Provisioning Portal to use the new App ID. The goal here is to make sure the new App ID matches the current “Bundle identifier” setting in your app’s target settings.

The first step is to identify the current Bundle identifier that your app is using. If your app has never been deployed to the App Store, make a note of the “Bundle identifier” setting in Xcode:

  1. Go to the View menu Navigators Show Project Navigator.

  2. Select the root project folder.

  3. Within the project editor, select your target in the TARGETS section.

  4. Select the Info tab.

  5. Verify that the view settings are set to All or Combined (see Figure 5-1).

  6. Note the “Bundle identifier” setting. This setting will remain the same, but you will be generating a new App ID using this Bundle identifier.

If your app is currently available on the App Store, make a note of the current “Bundle identifier” as it is listed within iTunes Connect:

  1. Using the Team Agent account, log in to the iTunes Connect website.

  2. Go to “Manage Your Applications.”

  3. Select the app you are interested in modifying by clicking on its icon.

  4. Within the Identifiers section (under App Information), you will see the Bundle ID listed (see Figure 5-28).

  5. Note the Bundle ID. We will use this Bundle ID when creating the new App ID.

Follow these steps to create the new explicit App ID based on the previously noted Bundle ID:

  1. Log in to the iOS Dev Center and go to the iOS Provisioning Portal.

  2. Go to the App IDs section, follow these steps:

    1. On the Manage tab, press the “New App ID” button and set the options as follows.

      Description

      Enter a brief description of the App ID.

      Bundle Seed ID

      The assumption here is that you have an existing wildcard App ID that you wish to migrate from, so choose the same Bundle Seed ID that wildcard App ID is using.

      Bundle Identifier

      If this app has never been distributed to the App Store, use the current Bundle identifier from Xcode. If this app is currently available on the App Store, use the Bundle ID from iTunes Connect.

    2. Press Submit to save the new explicit App ID.

  3. Modify any existing Development and Distribution (Ad Hoc and App Store) Provisioning Profiles to use the new explicit App ID. You can also create new Provisioning Profiles if you do not wish to modify the existing profiles. Consider duplicating your existing profile(s) and modifying to save time using the Edit Duplicate link for the current profile.

  4. Download and install the modified Development and Distribution (Ad Hoc and App Store) Provisioning Profiles onto your computer (see Installing Provisioning Profiles onto iOS Devices).

  5. Rebuild your app with the new Provisioning Profiles.

  6. For apps currently available on the App Store, follow the steps in Updating an App on iTunes Connect to submit a new binary to Apple for review.

Development and Distribution Certificates

Development and Distribution Certificates are used to digitally sign an app to facilitate the installation of an app onto iOS devices for testing, or the packaging of an app for distribution to the App Store. This section covers the process to create both the Development and Distribution Certificates manually, which is necessary if you did not use Xcode Organizer to set up your device (as covered in Chapter 1), or if you have created an App ID (explicit or wildcard) manually.

Tip

You need a Development Certificate to sign the app so that it can be deployed to a device locally from Xcode. You need a Distribution Certificate to sign the app so that it can be distributed to other users for installation onto their devices for testing, or to the App Store.

Things to note regarding certificates:

  • An Individual account in the iOS Developer Program has only one Development Certificate, because there is only one Team (Agent) account for this type of membership.

  • A Company/Organization account in the iOS Developer Program allows each individual member of a Development Team to have his or her own Development Certificate. Team Member accounts must submit a request to have a Development Certificate approved. Once the request has been approved by a Team Admin or Agent, the certificate is created and the Team Member can download her individual Development Certificate for installation into Keychain Access.

  • Both types of iOS Developer Program accounts have only one Distribution Certificate.

  • Upon creation, Development and Distribution Certificates are valid for one year, unless the certificate is revoked (deleted) prior to expiration from the iOS Provisioning Portal (done by a Team Admin or Agent).

  • If you wish to revoke a certificate, any Provisioning Profiles associated with that certificate will be in an invalid state and must be renewed. The associated Provisioning Profile cannot be modified or deleted until a new certificate has been generated. Once a new certificate is generated, the Provisioning Profile can then be renewed. Revoking a certificate has no effect on apps you currently have available on the App Store.

  • Team Member accounts have no access to the Distribution tab, and therefore cannot view or download Distribution Certificates within the iOS Provisioning Portal.

Tip

What if you are developing many different apps with your iOS Developer Program account? Won’t you need more than one Development or Distribution Certificate? No, you can create multiple Provisioning Profiles (one for each app if you wish) to associate with your Development or Distribution Certificate. Provisioning Profiles are covered in Chapter 3.

At a high level, here are the steps to create a certificate (Development or Distribution):

  1. Using Keychain Access, create a Certificate Signing Request (CSR) file. During this process, a public/private key pair will be created in your default (login) keychain.

  2. To create the certificate, submit the CSR file to Apple using the Certificates section of the iOS Provisioning Portal.

  3. Download and install the generated certificate into Keychain Access.

  4. Download and install the Apple WWDR intermediate certificate in to Keychain Access.

For our purposes here, we’re going to assume that your “login” keychain is your default keychain. You can verify which keychain is set to “default” within Keychain Access; whichever keychain is bold is your default keychain (see Figure 2-2).

The “login” keychain is set to the default keychain, as it is in bold
Figure 2-2. The “login” keychain is set to the default keychain, as it is in bold

Development Certificate Setup

When Xcode attempts to build and deploy your app to an iOS device (connected locally to your computer with a USB cable), the Development Certificate is accessed by Xcode through a Development Provisioning Profile. You must have a valid Development Certificate installed in your default keychain within Keychain Access in order for your app to be properly signed without error when deploying to a locally connected device. This section details how to set up and install the Development Certificate.

Creating a Development Certificate Signing Request File

Before you can use the iOS Provisioning Portal to generate a Development Certificate, you must first create a Development Certificate Signing Request (CSR) file on your computer. Follow these steps to create the file:

  1. Open Keychain Access (located in Applications Utilities).

  2. Within the Keychains category, highlight the login keychain, and select Keychain Access Certificate Assistant “Request a Certificate From a Certificate Authority” (see Figure 2-3).

    Requesting a Certificate
    Figure 2-3. Requesting a Certificate

    Note

    If you are generating your Development CSR file for the first time, make sure that you do not have a private key highlighted in the Keychain Access main panel prior to selecting options from the Keychain Access menu, because these menu options will change based on the current context. If you are generating a Development CSR file based on a private key that you have imported into your keychain, you do want to highlight the imported private key prior to selecting the Keychain Access menu, because the intent in this scenario is to generate a CSR file based on the imported private key.

  3. In the Certificate Information window, enter the following information and press Continue when you are done (see Figure 2-4 for an example).

    User Email Address

    Enter your email address. Use the same email address that is associated with your account in the Member Center.

    Common Name

    Enter your full name.

    CA Email Address

    Leave this field blank.

    Request is

    Select the “Saved to disk” radio button.

    Let me specify the key pair information

    There is no need to check this box, doing so will prompt you to specify the Key Size and Algorithm, of which the default settings (“2048 bits” and RSA respectively) are used. However, make sure the “Let me specify the key pair information” checkbox is present. If it is not, you most likely had a private key highlighted in the main panel of Keychain Access when you chose to “Request a Certificate from a Certificate Authority” (see step 2). If this is the case, close the Certificate Assistant and start this process over—ensuring that you do not have a private key highlighted, of course!

  4. When prompted, save the CertificateSigningRequest.certSigningRequest file to your Desktop.

  5. Your Development CSR file will be generated and saved to your Desktop. Press Done at the Conclusion dialog box.

As stated previously, during creation of the Development CSR, a public/private key pair has been created within your login keychain within the Keys category of Keychain Access. The key pair is identified by the Common Name field as specified during creation of the CSR file. In the next section we’ll create and associate a Development Certificate with your newly created private key.

An example Development Certificate Information dialog box
Figure 2-4. An example Development Certificate Information dialog box

Generating a Development Certificate

Now that you have created your Development CSR file, we will use it to generate a Development Certificate. Log in to the iOS Dev Center and go to the iOS Provisioning Portal. Follow these steps to request and generate a Development Certificate:

  1. Go to the Certificates section and select the Development tab. Press the Request Certificate button.

  2. Scroll to the bottom of the “Create iOS Development Certificate” page. Press the “Browse…” button and select the Development CSR file that you created in the previous section. Once you have the CSR file in the interface, press the Submit button.

  3. Based on your Team account credentials, one of the following will happen (Note: For those enrolled in the iOS Developer Program as Individual, everything is done as the Team Agent):

    • Team Members will need to have their “Team Signing Request” approved by a Team Admin or Agent, who are notified via email that a “Certificate Request Requires Your Approval.” After the signing request has been approved, you will receive an email notification and your Development Certificate will go from a state of “Pending” to “Issued.”

    • Certificate requests from the Team Agent or Admin are instantly approved. Refresh your browser (more than once if needed); the certificate will be in an “Issued” state.

  4. Press the Download button and save the Development Certificate to your computer.

  5. Double-click the ios_development.cer file to install the Development Certificate into your login keychain.

  6. Press the “click here to download now” link to download the “WWDR intermediate certificate” to your computer from the same page.

  7. Double-click the AppleWWDRCA.cer file to install the WWDR (Apple Worldwide Developer Relations Certification Authority) certificate into your login keychain.

Verifying the Development Certificate

To confirm that the Development Certificate has been generated and installed correctly, open up Keychain Access and select the login keychain.

  • Within the “My Certificates” category you should see your Development Certificate. Expand the Development Certificate by clicking on the triangle to the left of the certificate. The Development Certificate must be associated to the private key that was created along with the Development CSR file. The Development Certificate will have a green checkbox with a “This certificate is valid” message (see Figure 2-5).

    The Development Certificate associated to a private key
    Figure 2-5. The Development Certificate associated to a private key

  • Within the Keys category you should see the public and private keys that were generated during the creation of the Development CSR file. Expand the private key by clicking on the triangle to the left of the key. The private key must be associated to the Development Certificate (see Figure 2-6).

    A public/private key pair, with a Development Certificate associated to the private key
    Figure 2-6. A public/private key pair, with a Development Certificate associated to the private key

  • Within the Certificates category you should see the “Apple Worldwide Developer Relations Certification Authority” certificate. You will also see the Development Certificate associated to the private key. Both certificates will have a green checkbox with a “This certificate is valid” message (see Figure 2-7). Verify that you do not have duplicate certificates, as this will cause you to receive the following error message when Xcode attempts to sign your app: [BEROR]CodeSign error: Certificate identity "iPhone Developer: <your_name>" appears more than once in the keychain. The codesign tool requires there only be one.

    The Apple WWDR, and Development Certificate with private key
    Figure 2-7. The Apple WWDR, and Development Certificate with private key

If you do not see the setup described here, check to see if either the Development Certificate and/or keys were installed into another keychain. If that is the case, move each item to your default keychain.

Caution

By default, Keychain Access hides expired certificates. Make sure you do not have an expired certificate by going to the View menu Show Expired Certificates. Expired certificates should be deleted and re-created if needed.

Identifying Your Development Keys

As a best practice (especially if you are going to create your Distribution Certificate on the same computer as your Development Certificate), rename the Development public/private key pair that you have just created. Why do this? Currently the Development public/private keys are identified in your login keychain with the Common Name you specified at creation time. During the creation of the Distribution Certificate, an additional public/private key pair will be created, which may also be identified by the Common Name. If you are going to use something else for the Common Name when creating your Distribution Certificate, such as a company name, this won’t be an issue; it will be very apparent at a glance which key pair is associated with which certificate. However, if you are going to use the same Common Name during the creation of your Distribution CSR file that you used for your Development CSR file, it is very likely you could end up with two public/private key pairs with the same name, and no easily discernible difference between the two. If you ever wanted to transfer or back up a particular key pair, it will be very difficult to know for certain whether you are backing up the desired key pair, especially if you delete the certificate associated to the private key.

This begs the question, why didn’t we just specify a specific Common Name at creation time? Why do this now after everything is set up? The answer is in the question. Make sure everything is set up correctly prior to renaming the keys.

To rename your Development public/private keys, follow these steps:

  1. Open Keychain Access.

  2. Within Keychains, select the keychain in which you have installed your Development public/private key pair.

  3. Within Category, select Keys.

  4. Right-click the development public key, and select Get Info.

  5. Within Attributes, change the name to something easily identifiable such as: “Tom Hacker - iOS Development public key”. Press Save Changes when done.

  6. Right-click the development private key, and select Get Info.

  7. Within Attributes, change the name to something easily identifiable such as: “Tom Hacker - iOS Development private key”. Press Save Changes when done.

  8. Your Development keys are now identifiable at a glance (see Figure 2-8 for an example).

Development keys with identifiable names
Figure 2-8. Development keys with identifiable names

At this point, your Development Certificate is set up. If you have already provisioned your device using Xcode Organizer or have provisioned your device manually (see Chapters 1 and 3 respectively), you are ready to start compiling your app in Xcode for deployment to a locally connected device (see Building and Deploying to an iOS Device Using Xcode).

Distribution Certificate Setup

The Distribution Certificate is used when Xcode attempts to sign your app so that it can be packaged for other users to load onto their devices, or distributed to the App Store. You must have a valid Distribution Certificate with a corresponding private key installed in your default keychain within Keychain Access in order for your app to be properly signed without error. Creating the Distribution Certificate is a very similar process to creating the Development Certificate, and at the end of this process there will be a new distribution-specific public/private key pair and Distribution Certificate within Keychain Access. For Company/Organization accounts in the iOS Developer Program, this process must be done using the Team Agent or Admin account.

Note

It may be easiest to create the Distribution Certificate on the computer in which you will be creating the (Ad Hoc and App Store) distribution builds. For an organization, this could be on a dedicated build machine; for an individual developer, this could be done on the same computer on which you configured your Development Certificate. The Distribution Certificate can be generated on any computer in your organization, but generating the certificate on the computer which signs the distribution builds avoids having to export and import the Distribution Certificate to the build server later. For more information on transferring your Distribution Certificate to another computer, see Exporting Your Distribution Certificate.

Creating a Distribution Certificate Signing Request File

Before you can use the iOS Provisioning Portal to generate a Distribution Certificate, you must first create a Distribution Certificate Signing Request (CSR) file on your computer. Follow these steps to create a Distribution CSR file:

  1. Open Keychain Access.

  2. Within the Keychains category, highlight the login keychain, and select Keychain Access Certificate Assistant “Request a Certificate From a Certificate Authority” (see Figure 2-3).

  3. In the Certificate Information window, enter the following information and press Continue when you are done (see Figure 2-9):

    User Email Address

    If you are enrolled in the iOS Developer Program as an “Individual”, enter the email address associated with your account. If you are enrolled in the iOS Developer Program as a Company/Organization, enter the email address that corresponds to the Team Agent account. You may want to verify the correct email address within the Member Center before proceeding.

    Common Name

    Enter the legal name of your Company/Organization (i.e., “Acme Corporation”). If you are going to publish your app to the App Store as yourself, enter your full name as you wish to be identified on the App Store.

    CA Email Address

    Leave this field blank.

    Request is

    Select the “Saved to disk” radio button.

    Let me specify the key pair information

    There is no need to check this box, doing so will prompt you to specify the Key Size and Algorithm, of which the default settings (“2048 bits” and RSA respectively) are used. However, make sure the “Let me specify the key pair information” checkbox is present. If it is not, you most likely had a private key highlighted in the main panel of Keychain Access when you chose to “Request a Certificate from a Certificate Authority” (see step 2). If this is the case, close the Certificate Assistant and start this process over—ensuring that you do not have a private key highlighted, of course!

    An example Distribution Certificate Information dialog box
    Figure 2-9. An example Distribution Certificate Information dialog box

  4. When prompted, save the CertificateSigningRequest.certSigningRequest file to your Desktop.

  5. Your Distribution CSR file will be generated and saved to your Desktop. Press Done at the Conclusion dialog box.

As stated previously, during the creation of the Distribution CSR, a public/private key pair has been generated in your login keychain within the Keys category. The key pair is identified by the Common Name field specified during creation of the CSR file. In the next section, we’ll create and associate a Distribution Certificate to your newly created private key.

Generating a Distribution Certificate

Now that you have created your Distribution CSR file, log in to the iOS Dev Center as the Team Agent or Admin and go to the iOS Provisioning Portal. Follow these steps to request and generate the Distribution Certificate:

  1. Go to the Certificates section and select the Distribution tab. Press the Request Certificate button.

  2. Scroll to the bottom of the “Create iOS Distribution Certificate” page. Press the “Browse…” button and select the Distribution CSR file you created in the previous section. Once you have the CSR file in the interface, press the Submit button.

  3. The Distribution Certificate will be in a state of “Pending Issuance.” Refresh your browser (more than once if needed); the certificate will be in a state of “Issued.”

  4. Press the Download button and save the Distribution Certificate to your computer.

  5. Double-click the ios_distribution.cer file to install the Distribution Certificate into your login keychain.

  6. If you do not already have the “Apple Worldwide Developer Relations Certification Authority” certificate installed within the Certificates category of your login keychain, use the “click here to download now” link to download the “WWDR intermediate certificate” to your computer from either the Distribution or Development tab (the file is the same, regardless of the tab you download it from).

  7. Double-click the AppleWWDRCA.cer file to install the WWDR (Apple Worldwide Developer Relations Certification Authority) certificate into your login keychain.

Verifying the Distribution Certificate

To confirm that the Distribution Certificate has been generated and installed correctly, open up Keychain Access and select the login keychain.

  • Within the “My Certificates” category, you should see your Distribution Certificate. Expand the Distribution Certificate by clicking on the triangle to the left of the certificate. The Distribution Certificate must be associated to the private key that was created along with the Distribution CSR file. The Distribution Certificate will have a green checkbox with a “This certificate is valid” message (see Figure 2-10).

  • Within the Keys category, you should see the public and private keys that were generated during the creation of the Distribution CSR file. Expand the private key by clicking on the triangle to the left of the key. The private key must be associated to the Distribution Certificate (see Figure 2-11).

    The Distribution Certificate associated to a private key
    Figure 2-10. The Distribution Certificate associated to a private key
    A public/private key pair, with a Distribution Certificate associated to the private key
    Figure 2-11. A public/private key pair, with a Distribution Certificate associated to the private key

  • Within the Certificates category you should see the “Apple Worldwide Developer Relations Certification Authority” Certificate. You will also see the Distribution Certificate associated to the private key. Both certificates will have a green checkbox with a “This certificate is valid” message (see Figure 2-12). Verify that you do not have duplicate certificates, because this will cause you to receive the following error message when Xcode attempts to sign your app: [BEROR]CodeSign error: Certificate identity "iPhone Distribution: <your_name>" appears more than once in the keychain. The codesign tool requires there only be one.

    The Apple WWDR, and Distribution Certificate with private key
    Figure 2-12. The Apple WWDR, and Distribution Certificate with private key

Identifying Your Distribution Keys

As a best practice, consider renaming the public/private Distribution key pair that you have just created so that they are easily identifiable within Keychain Access. Currently the Distribution keys are identified in your login keychain within the Keys category as the Common Name you specified at creation time. Assigning these keys a descriptive name will save you a lot of time identifying your keys later on, especially if you are going to transfer this key pair to another computer. Assuming you have also renamed your Development public/private key pair (see Identifying Your Development Keys), follow these steps to rename the Distribution public/private key pair:

  1. Open Keychain Access.

  2. Within Keychains, select the login keychain.

  3. Within Category, select Keys.

  4. Right-click your distribution public key, and select Get Info.

  5. Within Attributes, change the name to something identifiable. For example, “Acme Corporation - iOS Distribution public key” for a Company/Organization, or “Tom Hacker - iOS Distribution public key” for an individual developer.

  6. Press Save Changes.

  7. Right-click your distribution private key, and select Get Info.

  8. Within Attributes, change the name to something identifiable. For example, “Acme Corporation - iOS Distribution private key” for a Company/Organization, or “Tom Hacker - iOS Distribution private key” for an individual developer.

  9. Press Save Changes. Your Distribution keys are now identifiable at a glance (see Figure 2-13).

Distribution keys with identifiable names
Figure 2-13. Distribution keys with identifiable names

Exporting Your Distribution Certificate

If you are going to build your app for Ad Hoc or App Store Distribution on multiple computers, you will need to export and import your Distribution Certificate into the relevant keychain on each of these computers. It’s also a good idea to export your Distribution Certificate and store it in a safe place so that it can be easily recovered in the event of a system crash or an operating system reinstall. My advice would be to check it into a secure area of your version control system.

Follow the steps below to export your Distribution Certificate:

Tip

This same process can also be used to export your Development Certificate to transfer to another computer, if you are going to be developing on multiple computers.

  1. Open Keychain Access.

  2. Select the login keychain (or whichever keychain your Distribution Certificate is in), and select the ‘My Certificates’ category.

  3. Select the Distribution Certificate (which has an associated private key) that you wish to export.

  4. Select the File menu “Export Items…”

  5. A Certificates.p12 file will be created that contains both the Distribution Certificate and the associated private key. Save the Certificates.p12 file to your Desktop.

  6. You will be prompted to enter a password to secure the Certificates.p12 file. You will need this password to import the certificate onto other computers.

  7. You will also be prompted for your account login password in order to export the certificate & private key from the keychain. Press Allow or Always Allow when you are done entering your password.

Importing Your Distribution Certificate

After you have exported your Distribution Certificate, copy the Certificates.p12 file to the target computer and follow these steps to import the certificate into the login keychain:

  1. Open Keychain Access.

  2. Select the login keychain (or whichever keychain you wish to import your Distribution Certificate into), and select the ‘My Certificates’ category.

  3. Select the File menu “Import Items…”

  4. Browse to your Certificates.p12 file and choose Open.

  5. You will be prompted to enter the password used to secure the Certificates.p12 file at creation time.

Importing an exported certificate file can also be done using the command line in a Terminal session (you will be prompted for the password used to lock the Certificates.p12 file when it was created):

$ security import Certificates.p12 -k ~/Library/Keychains/login.keychain

Your Distribution Certificate along with its associated private key will now be imported into the Keychain Access of the target computer. Make sure the certificate is located within the desired keychain.

Tip

If you use this process to import an exported public key file, after it is imported, it is (unhelpfully) named “Imported Public Key.” Follow the steps in Identifying Your Development Keys to give your public key a more descriptive name.

Certificate Renewal

Upon creation, Development and Distribution Certificates are valid for one year, unless the certificate is revoked (deleted) prior to expiration from the iOS Provisioning Portal (done by a Team Admin or Agent). In all likelihood, it is an Ad Hoc Provisioning Profile installed on an iOS device that is reminding you it’s about to expire. To renew a certificate (Development or Distribution), the workflow presented here will be to backup the existing certificate, delete it out of the keychain, generate a new CSR file from the private key, and use that CSR file to generate a new certificate. As public/private keypairs do not expire, we will only be deleting the certificate. Before you get started follow the steps in Exporting Your Distribution Certificate to make a backup of the certificate and private key; this way you can get back to your current state by importing an exported Certificates.p12 file into Keychain Access if you need to.

Follow these step to renew a certificate:

  1. Open Keychain Access.

  2. Select the login keychain (or whichever keychain the certificate you wish to renew is in), and select the ‘My Certificates’ category.

  3. Expand the certificate you plan on renewing by clicking on the triangle to the left of the certificate. The certificate is associated to the private key that was created along with the CSR file. Verify that the private key associated to the certificate we plan on deleting has an identifiable name distinguishable from any other private keys in the login keychain. Go to the Keys category and verify that this private key has a unique name; if it does not, rename it (see Identifying Your Distribution Keys ).

    Note

    The idea here is that we are going to be deleting the certificate and generating a new CSR file from the private key that the certificate was associated to before we deleted it. If the private key has a unique name, it will save you a lot of time by not having to figure out which private key you need to use to create a new CSR file.

  4. Right-click the certificate, and select Delete "Certificate_Name" (see Figure 2-14).

    Deleting a certificate prior to renewal
    Figure 2-14. Deleting a certificate prior to renewal

    Note

    This section is based on the assumption that the certificate you are deleting is only in the login keychain. If you are going through this process on a computer you use for automated builds, there is a good chance there is a copy of the certificate in the System keychain. If this is the case, delete the certificate out of the System keychain as well.

  5. Select the Keys category and highlight the private key. Generate a CSR file from the private key by right-clicking on the key and choosing ‘Request a Certificate From a Certificate Authority With "Private_Key_Name...”' (see Figure 2-15).

    Creating a CSR file from an existing private key
    Figure 2-15. Creating a CSR file from an existing private key

  6. In the Certificate Information window, enter the following information and press Continue when you are done (see Figure 2-16):

    User Email Address

    If you are renewing a Development Certificate, enter the email address associated with your account in the Member Center. If you are renewing a Distribution Certificate, enter the email address that corresponds to the Team Agent account in the Member Center(for an Individual developer, this would be your email address as it appears in the Member Center). You may want to verify the correct email address within the Member Center before proceeding to enter your email address.

    Common Name

    If you are renewing a Development Certificate, enter your full name. If you are renewing a Distribution Certificate, enter the legal name of your Company/Organization (i.e., “Acme Corporation”). If you are going to publish your app to the App Store as yourself, enter your full name as you wish to be identified on the App Store.

    CA Email Address

    Leave this field blank.

    Request is

    Select the “Saved to disk” radio button.

    Note

    Notice how you do not see the “Let me specify the key pair information” checkbox as we did when generating the original Development and Distribution Certificates. This is because we are creating a CSR file from an existing private key; there is no need to supply key pair information.

    An example Certificate Information dialog box
    Figure 2-16. An example Certificate Information dialog box

  7. When prompted, save the CertificateSigningRequest.certSigningRequest file to your Desktop. Press Done at the Conclusion dialog box.

  8. Log in to the iOS Dev Center and go to the iOS Provisioning Portal. Go to the Certificates section and select either the Development or Distribution tab (depending on which certificate you are renewing) and revoke the exiting certificate (see Figure 2-17. Revoking a certificate has no effect on apps you currently have available on the App Store.

    Note

    All Provisioning Profiles associated with the certificate will now be in a state of invalid until a new certificate is generated.

    Revoking a Certificate
    Figure 2-17. Revoking a Certificate

  9. To generate and install a new Development Certificate, follow the steps in Generating a Development Certificate. To generate and install a new Distribution Certificate, follow the steps in Generating a Distribution Certificate.

  10. Now that you have generated a new certificate, your Provisioning Profile(s), are still in a state of ‘Invalid', but can be modified (see Figure 2-18).

    Modifying Provisioning Profiles
    Figure 2-18. Modifying Provisioning Profiles

  11. Select Modify for the Provisioning Profile you wish to re-enable. Modify the profile in the smallest, least-intrusive way possible. The modification can be as simple and de-selecting and selecting a device association. The point here is to “tweak” the profile so that the Submit button is highlighted. Once you press Submit, the Provisioning Profile status changes to ‘Pending’. Refresh your browser (more than once if needed), the profile will be in a state of “Active.”

  12. Before downloading the updated Provisioning Profile(s), remove the current Provisioning Profile(s) from your Mac by deleting the profile(s) from Xcode Organizer (see Figure 2-19).

    Deleting Provisioning Profiles
    Figure 2-19. Deleting Provisioning Profiles

    Note

    You could delete the Provisioning Profile(s) by deleting the files directly from the ~/Library/MobileDevice/Provisioning Profiles directory. However you should delete the profile(s) from Xcode Organizer. Why? Although you have deleted the certificate from your keychain, Xcode will restore the deleted certificate back into your keychain and the next time you attempt to build your app, the build will promptly fail with '[BEROR]CodeSign error: Certificate identity 'iPhone Distribution: Common_Name' appears more than once in the keychain. The codesign tool requires there only be one‘.

  13. Download and install the updated Provisioning Profile(s).

  14. Rebuild your app with the updated Provisioning Profile(s).

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.144.227.9