Does the AppleWWDRCA.cer have any bearing on developing certificates using OpenSSL? If so, what? If not, what is it's use?
Edit:
I am using Windows. I do not need an answer concerning Mac development.
So far, using OpenSSL, I have created development apps (signed, and with certificates), ad hoc apps for multiple developers (signed, and with certificates), and they all have worked just fine. This is (probably) only a question about whether it is needed to put an app in Apple's App Store.
No, the WWDR Certificate is only used to authorize your app for selling/integrating on the Apple App Store.
Public OpenSSL certificates are (generally) given to your application from an outside Certificate Authority and used by your users to authenticate (prove that your application is indeed what it claims to be) your application and encrypt the data they send in a SSL connection. These can be generated entirely independently of your WWDR certificate.
Related
It appears that Apple has removed the ability to trust SSL certificates that are self-signed in iOS 10.
I created my own self-signed certificate and have a local web server that signed with my certificate. I must install my certificate in iOS for testing locally as I have developed an iOS application that needs to trust my certificate.
How can I install my self-signed certificate?
Good news, they haven't. If you just need this for development purposes, which it sounds like you do (and you shouldn't be using self-signed certificates in production anyway), you can install the self-signed certificate on your iOS devices manually. Following the equivalent FAQ for my iOS Web Bluetooth browser app:
Create your self-signed certificate and key files using openssl or however. Be sure it has the correct /CN “Common Name” for your local server, e.g. mycomputer.local.
Configure your webserver to use it (obviously) and check that it is working using a different client, such as a browser on a Mac.
Email your certificate to an email address you can access on your iOS device.
Tap on the attachment in Mail on your iOS device, this should now prompt you to install it. Do so.
You should now verify that it is installed by going to the Settings app then General -> Profile -> <Common Name>. The Profile menu probably won’t be there at all until you’ve installed the first certificate. The certificate should be marked Verified (it was verified by you when you installed it).
You might, like I did, have thought this would be enough. It isn’t. You now, really counter-intuitively, need to go to the setting General -> About -> Certificate Trust Settings and enable full trust for your certificate there as well. It’s such a weird place for that setting to be.
The installation of own root certificates changed at some point (maybe somebody can confirm, if it was at iOS 11).
What you need to do is with your Mac, get Apple Configurator 2 and create a profile containing your certificate. The resulting mobile profile file can be installed from Safari or email.
My certificate will expire in 4 days, and I've uploaded for submission new app version with the new certificate.
What happens if the old certificate expires? Will users be available do download my app with old certificate, or will Apple remove my app until the new certificate is provided?
What happens if my certificate expires or has been revoked?
Apple Push Notification Service Certificate
You can no longer send push notifications to your app.
Pass Type ID Certificate (Passbook)
If your certificate expires, passes that are already installed on users' devices will continue to function normally. However, you will no longer be able to sign new passes or send updates to existing passes. If your certificate has been revoked, your passes will no longer function properly.
iOS Distribution Certificate (App Store)
If your iOS Developer Program membership is valid, your existing apps on the App Store will not be affected. However, you will no longer be able to submit new apps or updates to the App Store.
iOS Distribution Certificate (In-house, Internal Use Apps)
Users will no longer be able to run apps that have been signed with this certificate. You must distribute a new version of your app that is signed with a new certificate.
Mac App Distribution Certificate and Mac Installer Distribution Certificate (Mac App Store)
If your Mac Developer Program membership is valid, your existing apps on the Mac App Store will not be affected. However, you will no longer be able to submit new apps or updates to the Mac App Store.
Developer ID Application Certificate and Developer ID Installer Certificate (Mac Applications)
If your certificate expires, users can still download, install, and run versions of your Mac applications that were signed with this certificate. However, you will need a new certificate to sign updates and new applications. If your certificate has been revoked, users will no longer be able to install applications that have been signed with this certificate.
Original Source Apple Doc
When distribution certificate expires, you can't submit new apps to AppStore. On the other hand the old live apps will work fine, ie: Nothing will happen to your live app in AppStore.
Consider check these Apple's thread and doc.
We are struggling with the Distribution Certificate handling from Apple.
We have several developers setup in the Apple Developer Portal, for the sake of the example:
Alice: Team Admin
Bob: Admin
Charles: Admin
Dan: Developer
Alice, Bob, and Charles should be able to build Apps for Distribution (Adhoc for internal testing, Testflight for external testing, and Appstore for distribution). Dan is only producing code and debugging on his local machine.
All users use individual accounts for the development.
From what we understood from the Apple documentation, Alice, Bob, Charles need a valid distribution certificate. If xCode generates it for them, they will start playing “ping pong”, and keep revoking each other’s certificate – at least this is what appears to be happening at the moment.
We are not sure why this would happen. One would think, that if you create a different new user this account can also maintain his own (distribution) certificates.
Anyway, so they will need to share a distribution certificate, by sharing the private key (p12 file) of it, as you can find in the answer here.
In our account, it appears as if we can have up to two valid distribution certificates.
We don’t really know how this ultimately worked – we didn’t do it manually over the developer portal, but used xCode for it. Alice generated her certificate, Bob revoked and regenerated, Alice did the same thing – but suddenly they both had a valid distribution certificate, instead of invalidating Bobs certificate.
In the documentation it was mentioned that you can have up to 2 valid distribution certificates. We have also manually tried to generate the distribution certificates and could confirm that it is limited to two.
However, we then got recently invited to a customer’s developer program to sign apps on his behalf.
I assume the customer was not aware that we require the private key from his distribution certificate. We therefore tried to manually generate a distribution certificate, and saw that it was not possible. To our surprise though, the customer managed to generate 3 valid distribution certificates.
Any idea how this worked?
Our questions in a nutshell:
1. What is best practice when you manage a team of developers?
Do you normally share the private key of the first developer who generated the certificate with all other team members, which should be able to sign the app?
2. What is the best practice when you work with clients?
Do you ask them to generate another private key, or is there some hidden functionality to generate as many distribution certificates as you want, given that every developer uses his own account?
3. What happens when we revoke a certificate.
It doesn’t affect the apps in the app store, but only seems to limit other developers to build their app. However, what happens with APNS / Push Server certificates? When we revoke a distribution certificate through xCode, will this also suddenly stop working for the sender?
Thank you for your help.
After a long time of investigation and trying things out, here is what we think is the best fit for us. Not sure if it is best practice but it seems to work for us just fine.
1. What is best practice when you manage a team of developers?
One person generates a distribution certificate using his mac. He then exports the certificate (public AND private key) in a p12 file, as suggested by washloops and shares it with the team.
2. What is the best practice when you work with clients?
We have two sorts of clients:
Clients working with multiple suppliers (so we are just taking care of 1 app, out of their portfolio) - We ask them to share their distribution certificate (public + private key). If they don't have it, they need to get it from another vendor.
Clients working only with us - We generate the certificate and share it with the client later on. This allows them to share it with other vendors if they need to.
3. What happens when we revoke a certificate.
From our tests: "nothing". If you revoke a distribution certificate, it will prevent developers using this certificate from submitting / building apps. However, existing APNS / Push certificates are not affected.
For us it seems as APNS / Push certificates are totally independent, and if you wish to revoke them, you need to revoke both.
You have to create just 1 distribution certificate. After that you go to Keychain Access, select the certificate and export it as ".p12", and maybe add a password to it.
After that you just install it in the other computers.
Regards :)
I am trying to create APNS certificate to setup basic MDM server. I am following this link http://media.blackhat.com/bh-us-11/Schuetz/BH_US_11_Schuetz_InsideAppleMDM_WP.pdf
I have OS X server 10.8, an an Apple developer account.
I have enabled APN using server application in mac osx server. When I edit or try creating new certificate its takes me to https://identity.apple.com/pweb/?r=1 here it requires CSR signed from third party vendor. Which I dont have.
So how to create APNS certificate from mac osx server 10.8 without having Enterprise account?
Not sure what you are trying to do here, are you trying to become a vendor or are a customer of a vendor?
If you are a customer, you don't need anything other than an apple account, you could ask for instructions from your vendor, more specifically, a Signed Certificate Signing Request(scsr) from your vendor. Then upload this file to the URL that you provide to get a APNS push certificate.
But if you are trying to become a vendor or want to create your own MDM server, you will need to have an enterprise account, and make sure the account has mdm option when first applied for this account.
More information can be found in Apple's doc of Mobile Device Management Protocol
http://adcdownload.apple.com//Documents/mobile_device_management_protocol/mobiledevicemanagement_121211.pdf
I have enrolled in the iOS developer's program. I've developed an app which I would like to test on an iPad device. For security reasons, I cannot have a direct internet connection on the Mac I am developing in.
I understand I can generate the certificate signing request and transfer it to another computer (this computer can have an internet connection), then upload it to the apple website. This is where the tricky part comes: the developer certificate will be pending, until I download the WWDR intermediate certificate and install it on the Mac without internet. Then after I refresh the page nothing happens, of course, because the Mac in which I registered the WWDR has no way of communicating with apple.
Is there another way of obtaining this certificate, or is there a method I could use, other than connecting the Mac to the internet?
To overcome this problem, you need to share certificates for multiple device. You can easily export certificates from /Applications/Utilities/Keychain Access in .p12 format & install that to other computer & after that you can sync all provisional, Adhoc & App Store profiles.
You can follow this tutorial and these link for step by step process.