Installing iOS certificates locally - ios

On the Apple site, in the Certificates section, I see that I have two certificates (iOS Development and iOS Distribution). They both expire in 2017. Everything looks fine there.
When I download the certificates and try to install them locally, they both appear in the “Certificates” section of my Keychain. In the “My certificates” section of my Keychain, however, I see only the Developer certificate. If I try to copy the Distribution certificate from “Certificates” to “My Certificates”, it does not help.
In XCode, in the Accounts section, when I choose my Apple ID and click on “View Details,” I see only “iOS Development” in the list of Signing Identities. And its status is “Revoked” for some reasons! When I click on “+” under the table and try to add iOS Distribution certificate, a dialog appears which says: “Your account already has a valid iOS Distribution certificate. You have a valid iOS Distribution certificate in the Member Center, but it is not installed locally. If your signing identity is installed on another Mac, you can export a developer profile on that Mac and import it on this Mac. You can also revoke your current certificate and request a new one.”
Is it safe to go to the Apple site and revoke the certificates there? Would it help somehow? Or maybe there are better solutions?

You may revoke your distribution and create a new one with CertificateSigningRequest created from keychain access. But if you have other project using this distribution certificate, It is better export that certificate from the originally installed computer using keychain access export with the .p12 extension and install it to your computer.
If you export a certificate distribution or development. You need to go to developer.apple.com and renew all your previous provisioning file with a new certificate. It is time consuming but if you are not able to export old certificate that is the only option.

Related

Xcode 7.3: Your account already has a valid iOS Development certificate [duplicate]

I'm having trouble exporting an app for Ad Hoc Distribution on Xcode 6 beta 2:
When exporting my project for ad hoc development on Xcode 6, I receive this alert. I've tried exporting it on Xcode 5 and had no problems at all saving the .ipa. Is anyone experiencing this problem as well?
I've had the same issue two days ago. Turns out the problem was:
I have my own developer distribution certificate with a proper private key
I have enterprise developer distribution certificate of my client without a private key
I try to make an enterprise distribution package for my client
Xcode throws at me vague error: Your account already has a valid iOS distribution certificate
The solution is: get a private key for enterprise account of my client. There are 2 possible options:
Ask you client for credentials to access his enterprise developer account on Apple website. Revoke old certificate and recreate it. You'll create the private key in the process. BEWARE: revoking an enterprise distribution certificate invalidates all apps that were signed and deployed with that certificate (official info).
Ask your client to export his private key from his Keychain Access application as a *.p12 file and send it to you with a password. You can't download the existing private key from the Apple website. The only way to get it is to ask your client. I did it and it and I was able to finally make the package.
How to find out if you have a private key for a certificate: Open Keychain Access application. Choose certificates. Find your certificate. If you see small grey triangle on the left side of the certificate, open it and you see your private key. No triangle = no private key.
This is what worked for me.
On my machine I kept both Xcode 5 and Xcode 6 beta.
From Xcode 6 beta, Archive the project. Close Xcode 6.
Open Xcode 5, go to Organizer and export as Ad Hoc build with proper provisioning profile.
That's it!
I had the same problem, I had to use the command line "xcodebuild" tool as a workaround, with only Xcode 6 installed (didn't have to re-install Xcode 5).
http://www.thecave.com/2014/09/16/using-xcodebuild-to-export-a-ipa-from-an-archive/
Example:
xcodebuild -exportArchive -archivePath $projectname.xcarchive -exportPath $projectname -exportFormat ipa -exportProvisioningProfile "Provisioning Profile Name"
In my case, what solved the problem was deleting all Distribution Certificates from my Apple Developer Account. Then, Xcode managed to create development and distribution certificates again, and that did the trick.
I get a solution without renew the certificate:
1 - Archive the target with the appropiate Code Signing Identity and Provisioning Profile
2 - Right button in the created file in Organizer --> Show in Finder
3 - Right button in the xcarchive file --> Show package content
4 - There, in Finder, go to Products/Applications/
5 - Upload the file Products/Applications/appName to iTunes
6 - When the app appear in iTunes, right click on it --> Show in Finder. This is the ipa file
7 - Send this ipa through App Loader 3.0
I dont think that it is a lasting solution but do not want to delete my certificates
FINALLY SOLVED IT!!
1) Create a NEW production certificate through developer.apple.com which requires you to use Keychain Access to create a new private key on your computer
2) In the same developer portal, open your distribution Provisioning Profile used with this app and select the new production certificate which you just created. Generate the provision then download it and run it
3) Run your app, Archive it, then export the archive.
viola
This took me days if not weeks to figure out, I hope it helps you.
Create new iOS Distributon Certificate and choose Production> App Store & AdHoc section. Also don't forget to change Target>Build Settings> Code Signing all to iOS Distribution.(but after created ipa set it back to iOS Developer)
Only this solved my problem.
I faced the same issue today with Xcode 6.1.1
When I tried to add iOS Distribution certificate via Xcode the error I got was the same. There were already several issued distribution certificates in Member Center and I did not want to invalidate them because if they are used for Ad Hoc distribution in an Enterprise environment this would also invalidate the applications that are installed on the devices (at least this is what I've read).
What I did was:
1. Through Keychain Access generated a request for a certificate from a certification authority. And saved the request to a file;
2. Logged in to Member Center certificates area Production section and requested a new "App Store and Ad Hoc" production certificate, this requested the file from step 1;
3. Downloaded the new certificate and when imported in Keychain Access it now had a private key.
Afterwords I cleaned Xcode, restarted it, checked that in my account the profile is visible and built a new Archive. And now I was able to validate the archive.
Now if I try to request a new "App Store and Ad Hoc" certificate this option is grayed out for me and I suppose this is because my account already has the certificate issued. If this is your case you will most probably need to invalidate your previous certificate before you can issue a new one. This is why Apple recommend backing up your certificate. But it is very likely that you will not need to invalidate all production certificates as I already have a number of those in the profile.
Hope this helps someone :)
Apple has changed the way of Ad Hoc build. Now you can't make Ad Hoc distribution builds using dev cert. You should use a distribution cert with an "Ad Hoc" provisioning profile instead.
I believe the actual reason you ended up in this screen is while trying to get the .ipa file to be distributed to your testers and clients.
In Xcode 6, to get the .ipa file you may use the old method for iPA generation:
Select organiser in Xcode. In the Archives tab select the Archive whose iPA file you need to generate.
Right click and select option “Show in Finder”
You will see the .xarchive file. Right click and select “Show Package Contents”
You will see folders: dSYMs, Info.plist and Products.
Open Products>Applications and you will see your .app file.
Drag and drop this .app file to iTunes in Mac.
Your .app file will be listed under "My Apps" in iTunes.
Right click on your application and select “Show in Finder”.
Now you have the .ipa file which you can send to your testers for testing.
Hope this helps.
There has been changes in way apple manages our private and public key.
The previous method to share account on two machine was
1.download provisioning
2.export/checkout certificate
install them both on the other mac
but now you dont have to do that you export your entire account.
1.XCode -> preferences -> account (select account) on bottom left there is option to export that
you will be prompted to give a password give any it will be required while importing on other system.A .developerprofile file will be downloaded on location of your choice.
2.download it on other mac and when you see the prompt your device already have valid signing identity click on import Developer Profile and import this .developerprofile file. enter password when prompted.
got help from here
I resolved it following the next steps:
1)in your apple developer account: Create a new Production Certificate Choose the App Store and Ad Hoc Option
2)in your apple developer account: Create a new provisioning profile with you current bundle id and the certificate created in the step one
3)in your xcode:
Select your target
In the tab Build Settings in the zone Code Signing
In the sub-zone Code Signing Identity - Release
Set your new distribution certificate (ad hoc)
In the Provisioning Profile - set your new provisioning profile (ad hoc)
Seems that xcode 6 now requires an ad hoc distribution certificate in order to export your IPA.
I got the same issue today, and found a good solution I think.
First of all, there're something unnormal:
the normal is:
and in the keychain:
the normal is:
then, I realize that I lack the the correct provisioning profile which contains the correct iOS Distribution certificate.
Finally, my solution is: use my CertificateSigningRequest.certSigningRequest file to generate a new iOS distribution certificate, and use the new iOS distribution certificate to generate a new provisioning profile.
Note, I don't delete the old certification and provisioning profile, because my colleague works well with them. Does this affect the apps I already published? The answer is NO. I just change the code signing certificate, and some important certificate like push notification certificate is ties with app ID:
So don't worry about that.
Hope the above is helpful.
As pointed out by a commenter this has proven to be a solution for myself and others:
I deleted and re-downloaded all my required certificates along with the keys needed to generate and i was able to get past this error
I revoke my producion certificates, and request another one, solve this problem.
Maybe you need restart your xcode.
I just encountered this after upgrading from Xcode 5 to 6.
In my case creating a new production certificate and then recreating the distribution provisioning profile for my app did the trick.
In the official latest Xcode 6.0, this will happen if you accidentally created a record in your entitlements file that has a key like this:
com.apple.security.application-groups
I am not sure if Xcode automatically created it by default. But deleting that key solved my problem. I didn't have to recreate any certificates. It was not my problem.
I solved this by simply regenerating the provisioning profile on the developer portal (in my case an App Store profile) and adding to my computer via iPhone Configuration Utility. I didn't want to mess with the certificates and successfully avoided that.
I noticed this error message logged from Xcode in my console:
None of the valid provisioning profiles allowed the specified entitlements: application-identifier, beta-reports-active, keychain-access-groups.
After downloading a the new provisioning profile, the missing beta-reports-active = true was present and Xcode signed the build.
My Solution was Delete the only iOS Production Certificate which I'm using and create it again. Doing this, you must create a new Provisioning profile assigning the certificate just created.
then I did the process of Archive again and works!
Additionally I found that Xcode Accounts come into play -
It turned out that I did have a valid distribution certificate on my personal account (mobilology) so I deleted that account temporarily from the Accounts section (you may wish to leave only that account that you are distributing from).
Suddenly the signing / archiving process worked!
Step1:-Login to your apple developer account
Step2:-Choose Certificates
Step3:-Delete if there are more than one distribution certificates
Step4:-Then retry archiving ( if error still exist, revoke all certificates and create new distribution certificate and edit your provision profiles.)
I think its a bug from Xcode. to make it work, i need delete the actual distribution provisional profile and i had to make a new provisional distribution profile from devcenter. This works from me
I also faced the same problem, i was using development certificate instead of Adhoc. Issue is fixed after using Adhoc certificate.
Delete you ios Distribution certificate from the apple developer site and regenrate the ios Distribution with the certSignReq file. Works for me always. Your other apps wouldnt be affected . Atleast in my case it never did.
In my case I generated a new distribution profile and added it to XCode, then tried to submit the build. Turns out, all I had to do to get rid of this message is restart XCode and attempt again to submit. Worked.
In my case, I got the error message when trying to export and AdHoc build from Organizer. I did two things, either of which may have fixed the issue:
1) Exported the existing certificate it claimed I did not have from my keychain, deleted it from keychain, re-imported.
2) Created an ad-hoc distribution certificate, refreshed XCode account to obtain the new distribution provisioning profile.
After that I was able to export the exact same archive to an AdHoc build. I really think it was only that fact I was missing an ad-hoc distribution that targeted that specifc bundleID that led to XCode being confused.
Followup: The archive I had created before did not work, I had to re-generate it. A clue this was an issue was that when selecting the archive and opting to export an Ad-Hoc build, the default account selected was the wrong account for the build (the project had no default account selected when I archived the build).
This is what worked for me (Enterprise Account)
Import the developer profile from the other machine, which loaded the certificate I needed with the secret key.
Rename the app bundle to the enterprise name (it was named under the app store name).
Change the team name in the "General" tab to my company's team - it was defaulting to my personal developer account!
With these changes, I could export an ipa as both ad-hoc and enterprise, upload it to Hockey Rink, and download it on my phone

How can I "revoke and request" my iOS Developer Profile?

I am trying to export an .ipa file from XCode 6, and I get an error like this:
The dialog says "revoke the current certificate and request one again", but I don't see a way to do that. The Apple Troubleshooting page for this issue suggests I should click the "Revoke and Request" button, but I don't see one.
How do I revoke the old developer certificate and request a new one?
I suppose that the certificate is a distribution one, not development one. It seems that you have installed your iOS Distribution certificate in another Mac. And, it seems again that you download this certificate from Apple portail and import to your new machine. Of course, the simple import is not valid. Cause a certificate requires a private key to be associated with.
Then, you have 2 solutions:
Export your certificate from old machine (include private key) then import to your new machine. I recommend it.
Revoke this certificate if you do not use anymore on old machine. Then, from new machine, create new request signning and request again the distribution certificate.
Visite your account, in distribution certificate section, click to the certificate to revoke, you will see "Revoke" button.
Beware that all provisioning profiles created with this certificate will be invalidated.
Just for info, you have only <= 2 distribution certificates to be created.

missing private key in the distribution certificate on keychain

I have the following problem which I could not find a solution for anywhere. Basically, we have a company developer account (not enterprise) and so in order to submit our app, I requested from our team lead to send me the distribution certificate and create and send me a distribution provisioning profile.
With the developer profile, everything works good, but when I installed the cert and the provisioning profile, I did not see the distribution profile on Xcode, and nor do I have a private key under the dist cert in the keychain.
Does anyone know how to solve this? I read in diff places that I will need to revoke the certificate and create a new one, but I can't really do that since we have a bunch of apps in the company and I can't revoke it for everyone.
Ahh this is a common issue, The solution is simple:
Who ever created the developer credentials originally needs to go to the keychain on their computer and right click on the key(s) for private and public and export the key to a file.
Then you just download that file on your computer and open it, and it will be added to your keychain.
You need to have both the private key (.pem file) and the certificate for your provisioning profiles.
As long as you still have access to the mac which was used to generate the original distribution certificate it's very simple.
Just use that mac's Keychain Access application to export both the certificate and the private key. Select both using shift or command and right click to export to a .p12 file.
Attached a screenshot to make it very clear.
On your mac, import that .p12 file and you are good to go (just make sure you have a valid provisioning profile).
To add on to others' answers, if you don't have access to that private key anymore it's fairly simple to get back up and running:
revoke your active certificate in the provisioning portal
create new developer certificate (keychain access/.../request for csr...etc.)
download and install a new certificate
create a new provisioning profile for existing app id (on provisioning portal)
download and install new provisioning profile and in the build, settings set the appropriate code signing identities
Delete the existing one from KeyChain, get and add the .p12 file to your mac from where the certificate was created.
To get .p12 from source Mac, go to KeyChain, expand the certificate, select both and export 2 items. This will save .p12 file in your location:
For person who are afraid on re-creating AppStore distribution certificate Apple documentation says:
Important: Re-creating your development or distribution certificates
doesn’t affect apps that you’ve submitted to the App Store nor does it
affect your ability to update them.
But it affects apps for Apple Developer Enterprise ecosystem.
I lost hours and hours to resolve this issue, but it's fixed by just restarting MAC...
In my case, I've lost all private keys in my keychain, new ones were imported correctly, but doesn't show the private key as well. The only thing that helped was generating new CertificateSigningRequest
After you changed a Mac which are not the origin one who created the disitribution certificate, you will missing the private key.Just delete the origin certificate and recreate a new one, that works for me~
When I try to upload iOS build to test flight then error was appear.
"Missing privacy key".
Just 2 step for fix this error.
Remove old certificate from developer.apple.com
Create new certificate from Xcode or developer.apple.com
My problem has been solved (I am using Xcode 9.4.1).
Please check, Xcode created new certificate.
If you are creating your own Distribution cert, not using someone else's then this could help.
Spent quite a bit of time on this today, issues from not being able to create a SigningRequest to generating a distribution cert and not having it attached to my private key in KeyChain Access. These steps helped solve this for me.
If you are still having issues, revoke your current cert and start fresh.
Creating a new signing request
The Keychain Access > Certificate Assistant > Request a Certificate from a Certificate Authority is actually contextually aware of what you currently have selected when you launch it. Just to be sure that you aren't accidentally skewing your Request with some random selection, go to your Login Items and select the Apple Worldwide Developer item. Then launch the above Request and create the CertificateSigningRequest.certSigningRequest file.
Go to Apple Dev portal, add new distribution certificate, upload your CertificateSigningRequest.certSigningRequest file and download the newly created distribution certificate.
To import the distribution cert into your keychain, instead of just double clicking it, I recommend opening your keychain, go to "login/Certificates" area and drag and drop the cert here.
I had an issue where my cert would auto-install into the System area, instead of the login area where my private key existed and this caused my key not to be linked to the new cert.
At the Menu > Visual Studio (mac) > Preferences > Publishing > Apple Developer Accounts > [Select your apple id] > View Details > Create Certificate
To delete unused/invalid certificates, go to website: https://developer.apple.com/account/resources/certificates/list
delete any unwanted certificate there
Next is to create App ID (identifiers), go to website:
https://developer.apple.com/account/resources/identifiers/list
Next, go to website to create provisioning profiles:
https://developer.apple.com/account/resources/profiles/add
use the certificate to bind with your app id.
Next is to download the profiles:
At your mac > At the Menu > Visual Studio (mac) > Preferences > Publishing > Apple Developer Accounts > [Select your apple id] > View Details > Download All Profiles
I got into this situation ("Missing private key.") after Xcode failed to create new distribution certificate - an unknown error occurred.
Then, I struggled to obtain the private key or to generate new certificate. From the certificate manager in Xcode I got strange errors like "The passphrase you entered is wrong". But it did not even ask me for any passphrase.
What helped me was:
Revoke all not-working distribution certificates at developer.apple.com
Restart my Mac
After that, Xcode was able to create new distribution certificate and no private key was missing.
Lesson learned: Restart your Mac as much as your Windows ;)
I accessed that certificate on apple's developer website and after downloaded it I opened it. Likewise, at open I got a little window asking if I wanted to add the certificate to keychain. Just tapped "add" and the "missing private key" error was gone.
My problem was that for whatever reason, the login keychain was missing in the Keychain Access. Xcode created a new certificate and added it to the login keychain but could not use it. Restarting the computer solved my problem.
Just to shed some light on this.
After I deleted my p12 certificate from Keychain. I re-downloaded my own certificate from Apple developer portal.
I was only able to download the certificate. But to sign you need the private key as well. So you either:
export both private key and certificate from Keychain to get it.
Upload a Certificate Signing Request and generate new certificates
That certificate by itself has no value for signing purposes. My guess is that the private key is created by keychain the moment you 'request a certificate from a certificate authority' but isn't shown to you until you add its matching certificate.
Check whether you are using Login or not to add the certificates, if you are checking in System at top left hand side then we wont be able to see it.
So drag and drop the .cer into login then check you are able to get the private key or not.
I'm the creator of the key, but the key was attached to an expired Certificate.
To solve it I went to -> Xcode/Preferences/Accounts/"Account you use to archive"/Manage Certificates..
Then click on the dropdown menu with the "+" sign on the bottom left corner, and choose the type of certificate you need updated (mine was Apple Distribution).
This updated my new certificate with its key attached.
Contact with the creator of iOS Distribution key and tell to export certificate and private key, then just download and double click it to access in your keychain.
I assume you have switched device and trying to create a new certificate for your new device,
First revive the development certificate form the developers portal,
Go to xcode > preferences > accounts > select your apple id with the dev portal access > manage certificates > click on the team account > click on the little + button > click on apple distribution
Go to the apple developer portal , you can see a distribution certificate is created ,
Go to profiles create a new profile with the new certificate.
Download > install
done
An old XCode version will also cause this. I was on XCode10 (old for 2022). Updated to latest version, which resolved the issue.
I could resolve this problem by updating macOS and XCode.

Apple Enterprise Developer Distribution Certificate appears in keychain, not in Xcode Organizer

I'm a contract developer, and have an app to be distributed via the client's Enterprise account.
I've worked with other clients on Enterprise accounts, but for some reason, the "iPhone Distribution" certificate that I've added to my keychain for this client does not appear in Xcode Organizer.
When I import a mobileprovision for the app, Xcode complains there's no valid key pair.
The client has added me to their account; can only the developer who created the Enterprise Distribution certificate import it to a keychain? If I create a new distribution cert (not profile), does that invalidate the existing cert (used by other apps I have not worked on?)
You will need the person who created the certificate to export it from their keychain. The certificate you download from the provisioning portal is a public key and does not contain the private key.
From Apple Tech Note about Code Signing
Note: In the case of missing Private Keys for your certificates,
Automatic Device Provisioning can restore your certificate to the
keychain, but not the missing private keys.
Transferring Your Identities Once you have a healthy working code
signing configuration set up it is recommended that you follow the
steps in section Transfer Your Developer Profile to Another Computer
of the Xcode 4 User Guide to create a backup of them. The backup can
be used to restore your working code signing configuration from
hardware failure, or to enable code signing on additional Macs,
partitions, or OS X user accounts of your choice. The backup
(.developerprofile file) once created contains all of the following
items:
all iPhone Developer certificates in your keychain all iPhone
Distribution certificates in your keychain all Provisioning Profiles
in the Xcode Organizer > Devices tab > Provisioning Profiles section
under "Library" Note: While creating the backup of your identities you
will be asked to enter a brand new password. Be sure to remember as
you'll be asked to enter that password later to use the backup for its
intended purposes.
Tech Note TN2250

iPhone: Can a dev other than team agent build an app for distribution

I have a company iphone dev account.
According to the doc, only the team-agent is allowed to submit a distribution cert and download the distribution provisioning profile.
Can a team only have 1 Team Agent?
Also, if that is the case, is there a way around this to allow multiple devs the option to build a distributed version of the app?
I have another developer who I would like to build and submit the app to itunes. I tried giving him the distribution cert and distribution profile. When he dragged and dropped them into xcode, and checked out windows->organize, it complains
"assigning identity matching this profile cannot be found in your keychain"
So this leads me to believe I need to get my key chain credentials on his machine. I tried exporting a private key and giving it to him, but he was unable to install it.
Is there anything else I can do?
I honestly thing its really silly if apple expects one developer to be responsible for building all apps for a company. Hopefully I'm wrong and there is a way to get multiple developers access to building a distribution of an app.
Thank you
NOTE: This process is heavily simplified in XCode 4 (although not personally tested by me) with importing and exporting of developer profiles through the Organizer window (Developer Profile section).
This is how I got it working.
1) Login to the iOS Provisioning Portal as the Agent.
2) Run through the process of making the Distribution Certificate Signing Request / Provisioning Profile: http://developer.apple.com/iphone/manage/distribution/index.action. These instructions a re super long, but pretty clear and necessary.
3) Pay extra attention to the section "Obtaining your iOS Distribution Certificate" > "Saving your Private Key and Transferring to Other Systems" on that page. It describes how to generate and save the Agent's .p12 file.
4) Now invite other developer(s) to be part of the team in the Member Center: https://developer.apple.com/membercenter/index.action#invitations
5) Back in the iOS Provisioning Portal, download the app's Distribution Certificate (Certificates > Distribution (tab)). Should be named "distribution_identity.cer"
6) Now download the Distribution Provisioning Profile (Provisioning > Distribution (tab)). Should be named "whatever_you_named_it.mobileprovision"
7) Email those two files along with the Agent's .p12 file to your other developer machine.
8) On the developer's machine, double-click the distribution_identity.cer file and it should load up in Keychain Access
9) Drag the .p12 file to Keychain and it should automatically put the identity under the certificate
10) Drag the whatever_you_named_it.mobileprovision file into XCode.
11) In each of the Project and Build's Info windows, set the Code Signing Identity to the "iPhone Distribution - Your Company" identity which should now be available.
Hope that helps. Rob
Just another tutorial step by step, but slightly different, the certificates have been already installed in the team's agent keychain, so it explains how to export the .p12 files from the keychain:
how-to-share-an-ios-distribution-certificate
You definitely should be able to build your app with a distribution certificate and profile on your coworker's machine.
Are you sure that the distribution certificate and provisioning profile are installed correctly? If you can build apps with the development certificate but not the deployment one, check to make sure that everything's properly installed in the keychain and that the correct provisioning profile is selected in the settings for the active target.
You can copy the private key in this way, but it's really UNSAFE:
Give him your login.keychain file (located in ~/Library/Keychains/), and let him open it with Keychain.app, and ask him to drag your private key to his login.keychain.
Apple also said you should keep your private key secured, if you need to reinstall your system, make sure you backup the login.keychain file.

Resources