Proper way to renew distribution certificate for iOS

Question

My distribution certificate is expiring on June 7th, along with all of my provisioning files. How do I properly renew it? Should I revoke it now and request a new one? If I do that than will all my live apps be taken down?

For whatever reason, after not using this account for years, I got a notification about this reply. Am not dead (yet). I'd also just like to thank everyone on StackOverflow over the years for helping me. I wrote this question when I was 14 (now 21). Since then, I have kept making iOS apps, and will soon start a full-time role at Apple (my dream for as long as I can remember). Thanks again to everyone that helped along the way! — user1413558, Jan 22 '20 at 04:38
great story! yeah the years pass ! you can't even imagine how programming got done before online QA. cheers — Fattie, Jan 22 '20 at 11:06

Andy Obusek · Accepted Answer · 2015-12-03T21:15:06.193

420

Your live apps will not be taken down. Nothing will happen to anything that is live in the app store.

Once they formally expire, the only thing that will be impacted is your ability to sign code (and thus make new builds and provide updates).

Regarding your distribution certificate, once it expires, it simply disappears from the ‘Certificates, Identifier & Profiles’ section of Member Center. If you want to renew it before it expires, revoke the current certificate and you will get a button to request a new one.

Regarding the provisioning profile, don't worry about it before expiration, just keep using it. It's easy enough to just renew it once it expires.

The peace of mind is that nothing will happen to your live app in the store.

edited Dec 03 '15 at 21:15

answered May 25 '12 at 19:21

Andy Obusek

12,614
4
41
62

8

Thanks, they expired today. Renewed them with no problems. – user1413558 Jun 09 '12 at 02:15
39

Just an fyi for other people. I revoked a certificate used for enterprise distribution and was **NOT** given an option to renew the certificate. It was just gone. App was down (not installable) until I rebuilt it with the new cert. – foldinglettuce May 08 '13 at 17:41
43

Hey, don't revoke your in-house certificate!! Your in-house apps won't work after a reboot/3days, unless you can update all your apps in that time period. Apple allows you to create 2 in-house apps so it can overlap each other and then you update your new apps with it. Do not revoke it. Only thing you can revoke is the App-Store Cert without stopping existing apps. – mskw May 21 '13 at 14:57
19

Strictly speaking, you cannot *renew* certificates, you have to *generate new ones* - see http://developer.apple.com/library/ios/#documentation/IDEs/Conceptual/AppDistributionGuide/MaintainingCertificatesandProvisioningAssets/MaintainingCertificatesandProvisioningAssets.html#//apple_ref/doc/uid/TP40012582-CH20-SW2 – mklement0 Jun 27 '13 at 01:47
1

I've updated the answer so it is no longer out of date – Andy Obusek Dec 03 '15 at 21:15
2

Updated link to apple's docs on this: https://developer.apple.com/library/ios/documentation/IDEs/Conceptual/AppDistributionGuide/MaintainingCertificates/MaintainingCertificates.html#//apple_ref/doc/uid/TP40012582-CH31-SW29 – qix Feb 15 '16 at 18:26
@MadNik no it doesn't – Andy Obusek Apr 18 '16 at 14:49
Here (https://developer.apple.com/support/certificates) it says that when the push certificate is expired you can no longer send push notifications to your app - so that means your app stops working properly. So why do you say "peace of mind"? – Nathan B Dec 12 '16 at 21:56
1

@nadavb - peace of mind regarding expiration of `distribution certificate` and `provisioning profile`. they didn't say anything here about `push certificate`. – WEBjuju Dec 21 '17 at 02:34
4

Some things have changed since the last edit on this answer. Expired certificates nowadays do not disappear from the list; they show as "Expired". Revoking an existing distribution certificate removes it from the list, you do not get a button to request a new one. – S.L. Barth is on codidact.com Feb 07 '18 at 09:36
2

There are others advising NOT to revoke certs, and describing the dangers in doing so. – David Shantz WildOutWest Apr 04 '22 at 22:17

junjie · Answer 2 · 2017-07-02T07:17:19.647

When your certificate expires, it simply disappears from the ‘Certificates, Identifier & Profiles’ section of Member Center. There is no ‘Renew’ button that allows you to renew your certificate. You can revoke a certificate and generate a new one before it expires. Or you can wait for it to expire and disappear, then generate a new certificate. In Apple's App Distribution Guide:

Replacing Expired Certificates

When your development or distribution certificate expires, remove it and request a new certificate in Xcode.

When your certificate expires or is revoked, any provisioning profile that made use of the expired/revoked certificate will be reflected as ‘Invalid’. You cannot build and sign any app using these invalid provisioning profiles. As you can imagine, I'd rather revoke and regenerate a certificate before it expires.

Q: If I do that then will all my live apps be taken down?

Apps that are already on the App Store continue to function fine. Again, in Apple's App Distribution Guide:

Important: Re-creating your development or distribution certificates doesn’t affect apps that you’ve submitted to the store nor does it affect your ability to update them.

So…

Q: How to I properly renew it?

As mentioned above, there is no renewing of certificates. Follow the steps below to revoke and regenerate a new certificate, along with the affected provisioning profiles. The instructions have been updated for Xcode 8.3 and Xcode 9.

Step 1: Revoke the expiring certificate

Login to Member Center > Certificates, Identifiers & Profiles, select the expiring certificate. Take note of the expiry date of the certificate, and click the ‘Revoke’ button.

Step 2: (Optional) Remove the revoked certificate from your Keychain

Optionally, if you don't want to have the revoked certificate lying around in your system, you can delete them from your system. Unfortunately, the ‘Delete Certificate’ function in Xcode > Preferences > Accounts > [Apple ID] > Manage Certificates… seems to be always disabled, so we have to delete them manually using Keychain Access.app (/Applications/Utilities/Keychain Access.app).

Filter by ‘login’ Keychains and ‘Certificates’ Category. Locate the certificate that you've just revoked in Step 1.

Depending on the certificate that you've just revoked, search for either ‘Mac’ or ‘iPhone’. Mac App Store distribution certificates begin with “3rd Party Mac Developer”, and iOS App Store distribution certificates begin with “iPhone Distribution”.

You can locate the revoked certificate based on the team name, the type of certificate (Mac or iOS) and the expiry date of the certificate you've noted down in Step 1.

Step 3: Request a new certificate using Xcode

Under Xcode > Preferences > Accounts > [Apple ID] > Manage Certificates…, click on the ‘+’ button on the lower left, and select the same type of certificate that you've just revoked to let Xcode request a new one for you.

Step 4: Update your provisioning profiles to use the new certificate

After which, head back to Member Center > Certificates, Identifiers & Profiles > Provisioning Profiles > All. You'll notice that any provisioning profile that made use of the revoked certificate is now reflected as ‘Invalid’.

Click on any profile that are now ‘Invalid’, click ‘Edit’, then choose the newly created certificate, then click on ‘Generate’. Repeat this until all provisioning profiles are regenerated with the new certificate.

Step 5: Use Xcode to download the new provisioning profiles

Tip: Before you download the new profiles using Xcode, you may want to clear any existing and possibly invalid provisioning profiles from your Mac. You can do so by removing all the profiles from ~/Library/MobileDevice/Provisioning Profiles

Back in Xcode > Preferences > Accounts > [Apple ID], click on the ‘Download All Profiles’ button to ask Xcode to download all the provisioning profiles from your developer account.

Hi Junjie, thanks! I'm facing [this problem](http://stackoverflow.com/q/24438010/810661) with Xcode 7. What happens to apps released whit AdHoc distribution provisioning profile, if I revoke distribution certificate? Does they still alive? Thanks — Frade, Oct 15 '15 at 16:44
@Frade according to Apple: iOS Distribution Certificate (in-house, internal use apps), Users will no longer be able to run apps that have been signed with this certificate. You must distribute a new version of your app that is signed with a new certificate. See https://developer.apple.com/support/certificates/ — junjie, Oct 16 '15 at 06:00
I was asking about AdHoc, but probably is the same situation. Thanks — Frade, Oct 16 '15 at 10:59
@junjie What happen in the case the app published in the store has push notifications entitlements? Will it be still able to send push notifications after the certificate is expired? — Otávio, Nov 13 '15 at 09:22
@Otávio your app distribution certificates (what we're dealing with in this question) is separate from your APNS certificate. the APNS certificate is not part of the app binary. you can revoke/renew your APNS certificate without updating your app binary. it is your push server that requires the APNS certificate. — junjie, Nov 22 '15 at 13:53
@junjie Ah ok, got it now. I thought the app binary and the APNS certificates were binded too. Thanks for making things clear. — Otávio, Nov 22 '15 at 14:24
Apps that are already in the app store would still continue to function. What about Enterprise apps? — SleepNot, Apr 03 '16 at 13:24
@junjie, Do you know what would be the state of distribution profile if i modified it to add a new adhoc certificate (apple allows us to have more than one adhoc distribution certificate at a time) while other certificate already in profile would expire tomorrow? Will profile becomes invalid because one certificate expired or valid because one is valid? Any idea? — Saran, Apr 22 '16 at 06:32

score 67 · Answer 3 · answered Jan 22 '20 at 00:10

67

As of January 2020 and Xcode 11.3.1 -

Open Xcode
Open Xcode Preferences (Xcode->Preferences or Cmd-,)
Click on Accounts
At the left, click on your developer ID
At the bottom right, click on Manage Certificates...
In the lower left corner, click the arrow to the right of the + (plus)
Select Apple Distribution from the menu

Xcode will automatically create an Apple Distribution certificate, install it in Keychain Access, and update Xcode's signing information

(Note: the single Apple Distribution certificate is now provided instead of the previous iOS Distribution certificate and equivalents.)

answered Jan 22 '20 at 00:10

leanne

7,940
48
77

1

curious: got my mail from apple to renew iOS Distribution Certificate. no info that I should create an Apple Distribution certificate instead. – ekkescorner Feb 05 '20 at 11:57
The email doesn’t mention it, @ekkescorner. It’s in the docs online. – leanne Feb 05 '20 at 14:31
8

this new workflow to re-create certificates sounds too easy ;-) thx again – ekkescorner Feb 05 '20 at 18:24
1

and edit your provisioning profile to include this certificate – vinayr Jan 05 '21 at 09:28

score 11 · Answer 4 · answered Oct 06 '16 at 08:43

11

Very simple was to renew your certificate. Go to your developer member centre and go to your Provisioning profile and see what are the certificate Active and InActive and select Inactive certificate and hit Edit button then hit generate button. Now your certificate successful renewal for another 1 year. Thanks

answered Oct 06 '16 at 08:43

Shanmugasundharam

2,082
23
32

@Shanmugasundharam , Shall we push a new version in the app store after creating a Provisioning profile. – Niraj Paul Aug 20 '19 at 13:30
This still requires a .csr file generated from xcode, at least, from what I've found. From developer.apple.com/account, I go to "Certificates, IDs & Profiles"->"Profiles". I see a ReleaseProfile and a TestingProfile. Both show "Invalid" under the "Expiration" column. I click on ReleaseProfile, then "Edit". Under "Certificates" it says "No Certificates are available" with a "Create Certificate" button. I click it. I then select "iOS Distribution" and "Continue". Now, in order to create it, I need to "Choose File", meaning upload a CSR file, which I assume can only be generated from xcode. – Brent212 Aug 21 '19 at 02:25
Figured out that I can generate a CSR simply by running, in Linux: **** openssl req -nodes -newkey rsa:2048 -keyout private_key.key -out cer_sign_request.csr **** Can't believe there's so many answers to "how to generate certificate csr" that require xcode without mention of this simple solution that doesn't require dusting off my old mac and firing up a bulky IDE. – Brent212 Aug 21 '19 at 03:07
@NirajPaul Your application will still work for the users who downloaded it from the store, and it'll even work for you if you download it from the store. This only effects users who put the application on the device using a provisioning profile (ie you built it and installed it on your device from xCode). Users past, present, and future will not notice anything different. https://stackoverflow.com/a/7128502/3493877 Source from here – Shanmugasundharam Aug 21 '19 at 09:51

score 3 · Answer 5 · answered Sep 15 '21 at 06:57

Hello guys..

I have found the best way to update IOS certificate, With the simple steps. Here everyone can update without any queries.

IOS certificate update / Certificate Changes Steps :

1) Open a key chain access.

2) Click on the show certificate.

3) Keychain access => certificate assistant => Request a certificate from a certificate authority..

4) Open a devloper console => account => certificate IDS & Profiles.

5) Click on Certificates + icon and create a new => ios Distribution (app store and Ad Hoc). then after click on the continue button.

6) Choose and uploade a certificate => after that download uploaded certificate by click on download button.

7) Then edit certificate and then update latest uploaded certificate.

8) Open a Xcode => click on signing & capablities => Download profile => select profile new uploaded certificate.

Reference video link https://youtu.be/v19ZoFa1cJs

score 0 · Answer 6 · answered Sep 24 '15 at 12:44

This was a really a helpful thread, I followed the same steps as @junjie mentioned but for me something weird happened, the below are the steps I did.

Went to developer portal and revoked the certificate which was about to expire.
Went to XCode6.4 and in the Account settings, the certificate still showed valid, I went crazy.
Then I opened XCode7, there the certificate was shown with "Reset" button instead of create and I hit the reset button and later in the portal I was able to see an extended certificate present. This is what Apple says about Reset button

If Xcode detects an issue with a signing identity, it displays an appropriate action in Accounts preferences. If Xcode displays a Create button, the signing identity doesn’t exist in Member Center or on your Mac. If Xcode displays a Reset button, the signing identity is not usable on your Mac—for example, it is missing the private key. If you click the Reset button, Xcode revokes and requests the corresponding certificate.

I tried creating an Appstore ipa with that, just to test and it worked fine so I am saved, but still not sure what has happened. May be I had multiple accounts configured in my Mac, dont know.