23

I have a quick question. I develop iOS apps for multiple clients. Each client has their own Apple accounts and I create certificates for them from my machine. My question here is can I use the same CSR file to create certificates for different companies? Thanks.

Machavity
  • 30,841
  • 27
  • 92
  • 100
EmptyStack
  • 51,274
  • 23
  • 147
  • 178

1 Answers1

22

Yes, technically you can use the same Certificate Signing Request to create multiple certificates for multiple companies, clearly the certificate request must be uploaded from the right developer account.

The CSR contains in fact the requester public key that will be used by the CA (in this case Apple) to create the requested certificate. You can see its content by using the openssl command:

openssl req -text -noout -verify -in CertificateSigningRequest.certSigningRequest

But as a user correctly noted in a comment, all your certificates will be tied to the same private key (a public/private key pair is in fact regenerated each time you create a CSR) and this could lead to a reduced security if the machine requesting the certificate gets compromised. Some services require a unique CSR for each certificate generation but at the moment this is not enforced by Apple which allows the same CSR to be reused. This CSR separation is especially useful for the creation of the distribution certificates and the APNS production certificates.

viggio24
  • 12,316
  • 5
  • 41
  • 34
  • 11
    Yes you can do this, but you intentionally break one of the many layers of security mechanisms protecting code signature. Key pairs are only generated when constructing a CSR, not each time you submit the CSR to Apple, so each company winds up using the same key pair breaching PKI compartmentalization. Take the extra 30 seconds and regenerate the key pair each time you request a new certificate; your clients will thank you should your work machine become compromised and you have to reissue certs for all your clients. – Bryan Musial Aug 11 '13 at 05:38