My development and distribution certificates are expiring today. I have followed below link and got infos about creating a new one.
Proper way to renew distribution certificate for iOS
My questions are listed below:
What is the best way, revoke certificate and create a new one before certificate expires or wait for it to expire and then create a new one?
What will happen to the old one in keychain access, do i have to manually delete them?
We uses the same certificate in two different machine, do we have to delete the old one from machine's keychain on the machine and then create the new one and then export the new keys to other machine?
one of my provisioning profile has expiry date of 26/07/2017 however if I am changing the development certificate and distribution certificate so I need to edit and regenerate the provisioning profile as well because I am changing the certificate. Is this correct?
1) I would advise that you wait until they expire, then request new certificates in the certificates & identifiers section of the developer portal. Your certificates expiring will not affect any current apps you may have on the app store, it will only remove your ability to sign code. Once they expire, follow the steps to create new development and distribution certificates.
2) There is no need to manually delete your certificates from keychain access. Just make sure to choose the current ones in your Project's build settings.
3) Since you have two machines, you will have to download these 2 certificates to your other machine as well and add to keychain access.
4) Yes, you will need to regenerate your provisioning profiles using your new certificates, download them, then install them to xcode. You may also want to delete your old provisioning profiles. To do this, go to Xcode->Preferences->Accounts->(Choose apple ID here)->View Details. Now, right click on expiring profiles, hit show in finder, then delete them from finder. Also, remember to update which profiles your project uses in your build settings.
Related
I have an in-house enterprise app that is managed (deployed) from MaaS360
'https://portal.fiberlink.com'
And this app is built (and still maintained) in XCode 4.6.3 (i know, i know), so I don't have any of the fancy new features in XCode 7 that might help alleviate this problem. In fact, even the refresh button in Organizer no longer works... you tap it and a dialog says "service unavailable" and I've tried it on different days, so it's not just a temporary glitch or service interruption. I believe apple disabled whatever portion of their service was servicing that request from XCode 4's Organizer.
The provisioning profile on it is going to expire in March, and I'm trying to figure out how to renew it without inconveniencing the users by making them download a new rebuilt app. It would be particularly painful for them because it would require they sync a few gigabytes of data from their device through iTunes for each person, and it's a few hundred people.
My problem is, my certificate I used to sign the app is also expiring around the same time (in March).
I happened to have another certificate and an associated provisioning profile, I had generated on a different mac which expires in 2019, and I tried to use it to update the expiring provisioning profile on MaaS360 for this app in question, and I get this error
So what has me a little terrified is, I'm back on the mac where I originally created and deployed the app... if I need to renew my existing certificate (which I assume means revoking it and replacing it with a new one), in order to create a new provisioning profile, aren't I going to run into this dialog again, claiming that my certificates don't match, because I'll now have a new one, hence I can't update the profile.
If the only way to update my expiring provisioning profile is with my soon-to-be-expired-but-also-identical certificate which originally created the profile, that still means my profile is going to expire as scheduled because my original certificate will have expired too.
Is there a way out of this dilemma?
You can have two certificates active at the same time. So I would generate a new certificate using the same key you used to generate the original one. To do this on the Apple developer portal, you will need the cert signing request. Most developers don't save this when they generate their certificate the first time. The good news is, if you have the private key that was used for your distribution certificate, you can use that to generate the CSR. To find out if you have the private key, you can use this post for how to locate it in the Keychain app. https://stackoverflow.com/a/33651921/3708242
Once you have verified that you have the private key used for the certificate for the app store distribution, you can generate the a CSR using the following procedure: https://stackoverflow.com/a/7111454/3708242
Once you have the CSR, go to Apple's developer portal and generate a new distribution certificate for "In-House and Ad Hoc" distribution. As long as you only have one out there, you should be able to create a second without having to revoke the existing one. Once you've done that, you will likely need to provide that certificate to the MaaS360 service (I'm not familiar with how that works, but somehow the Maas360 server must have the private key and certificate that the apps were built with, as it is clearly checking that when you push the build of your app and the certs don't match). So download the new cert and provide that to MaaS360.
Then, generate a new distribution profile using the new certificate. Or you can update the existing one to use the new cert by clicking the edit button on the provisioning profile, then changing the radio button to the new cert which should expire several years out. Note that this won't prevent any existing apps built using the profile from running in the meantime (revoking the certificate, however, would immediately cause the apps to stop working, which you don't want). Save and download the new profile, and use it to rebuild the app.
The app will then be built with the new certificate, that won't expire any time soon. I do think you are missing the part of the process where you will have to provide the new cert to MaaS360. I can't really help you with that part, but hopefully there is some documentation from IBM that can help you out there. But, you will need to fix it, because once the cert expires, non of the apps built with it will work. Good luck and let me know if any of this is not clear enough.
I have an app in appstore, whose certificate is about to expire in 20 days. So i created new distribution certificate & new provisioning profile(used same previous appid) > then recreated build & submitted to Appstore. My queries in here is;
Is above process is the proper way of doing it.
1) I haven't revoked old certificate, it's still in account. Do I need to do anything to it or just leave it alone?
2) what if users didn't update my latest build (with new certificate) from appstore & instead try to stay with old build that got certificate about to expire shortly? In such cases, what'll happen to app, once cert is expired?
Thanks in advance.
There was no reason at all to submit a new build to the App Store - at least due to the certificate. An expired certificate only affects your ability to use provisioning profiles. Existing apps are not affected at all.
Users that don't update will not be affected.
Feel free to delete any old certificates. Use the new one to create new provisioning profiles.
My client has a few apps in the app store that were submitted using a certain App Store profile which I have access to the account. We also have those apps installed Ad Hoc signed with the same Distribution Profile. Now I am taking care of one of this apps and I need to code sign to make a few changes and then submit it Ad Hoc for some testers. No one knows where the .developerprofile backup is. Can I revoke the existing certificate and recreate a new one without affecting the apps on the App Store. If I revoke, any other developer using this key pair will stop working, right? Any other problem I am not remembering. Can I revoke the certificate?
Thanks in advance.
Yes, you can safely revoke the developer and AdHoc distribution certificates without affecting any App Store apps. Be careful not to revoke any Push Notification certificates if your app uses push.
Generate a new certificate signing request on your machine and use that to generate the new certificates. Remember to edit the provisioning profiles after you create the new certificates, especially if you've added any additional devices to the provisioning list. Then download the new provisioning profiles and you should be good to go.
Any other developers (if they still have access) will be able to download the new profiles if they need them. If they also need to sign builds, they should generate their own keys/certificates as well for their developer certificates.
A lot of my certificates are expired today. I want to update my app that is currently in the App Store and saw that I need to create another distribution profile with the same bundle id. IS this correct?
So, for example my bundle id of the old distribution profile was "com.xxxx.1234" , now I need to create another one with the same "com.xxxx.1234" ?
Cheers and thanks
You should only have two certificates - one for development and one for distribution. Do not confuse certificates with provisioning profiles. They are very different though the provisioning profiles depend on one of the certificates.
If in fact your certificate(s) did expire (which they do once a year), create and install your new certificate(s). Once that is in place all you need to do is edit your existing provisioning profiles to use the new certificate. Do not create any new provisioning profiles, just update what you have.
Once all of the provisioning profiles are updated, download and install the updates into Xcode. Delete the expired ones.
Now update your project to be sure it uses the updated profiles.
No where in this process should you deal with bundle ids.
This is getting frustrating. I have two identities, one old, one new, and the latter should be used to deploy iOS apps to the App Store.
I've created the new user, granted him admin access, then I created the app name and provisioning profiles. However, in the Organizer I see that the Dev provision works flawlessly, while the Deploy profile shows me the dreaded error:
Valid signing identity not found.
How can it be?
Well, I see that in the Certificates section in the iOS Provisioning Portal, there is only one distribution certificate, the one belonging to my company.
Is there a way to enable the new user to create apps without accessing the uberadmin's Xcode?
Thanks & Cheers!
You need the key that was used to create the Distribution Certificate for your company.
Remember when you created your developer certificate? Then you went to keychain -> certificate assistant -> Request a certificate from ...
When you did this, your Mac paired your certificate request to a key in your keychain. Once your developer certificate was processed and you downloaded it to your computer, it could be accessed by your computer through that key.
But if you did not create the Distribution Certificate that your company has, you don't have the key on your computer.
Take a look at your certificates in keychain:
Go to 'Certificates' and expand your developer certificate - it will have a little key with your name.
Now try to expand your distribution certificate - it will not have a key, right?
If this is the case, you have two options:
Ask the person who created the Distribution Certificate to export it from his keychain. This will create a file that includes both certificate and key.
Delete the current Distribution Certificate, and create a new Certificate Signing Request from your computer, which will connect it to a key that you have.
First method require access to "Uberadmins" computer. The second require admin access to your teams Apple account. There is usually no downside in using method 2, because creating a new certificate is necessary from time to time anyway. It will not affect already published apps, just coming releases and updates need to use a the latest certificate.
Once all this is done, you need to create a distribution provisioning profile for App Store and connect to the Distribution Certificate that you are going to use. (if you went with option 1, you might already have done this).
Download the profile to your computer, install it, and then in your app, select to build with this profile for distribution builds.
According to Apple's documentation:
A team’s distribution certificate allows a developer to build an app for distribution. If your team wants to use another Mac to create a distribution build, you need to transfer a copy of the distribution certificate as described in, “Safeguarding and Transferring Your Signing and Provisioning Assets” in Tools Workflow Guide for iOS. (from Managing a Distribution Certificate)
So, in order to have multiple users able to create & submit App Store builds, you must share a private key between them.
Create a new private key for the team, and then send that private key to everyone who needs it. Follow the instructions under Generating a Certificate Signing Request with Keychain Access.
See also: Any concern to share private key for distribution certificate among different group under a team account in itune provisioning portal