This certificate has an invalid issuer Apple Push Services

Question

I have created certificate to enable Push Services in my app, but every time I try to add certificate in my Keychain, after adding certificate it shows me following error:

This certificate has an invalid issuer

https://developer.apple.com/support/certificates/expiration/ — matt, Feb 15 '16 at 01:29
Note to people voting to close: This is on-tropic because it is about a TOOL that PROGRAMMERS use. — Ian Ringrose, Feb 16 '16 at 11:29
Readers should note that this problem is not specific for Push Services, but is found equally for expired iOS and Mac Developer and Distribution certificates. (The solutions work equally well for these.) — David, Sep 20 '16 at 13:23
Congrats on most relevant question, this Q is linked to by industry-standard CI tool for iOS fastlane during the step for downloading code signing identities called Match. — Sajjon, Nov 21 '18 at 11:51

score 626 · Answer 1 · edited Feb 17 '16 at 23:25

626

I think I've figured this one out. I imported the new WWDR Certificate that expires in 2023, but I was still getting problems building and my developer certificates were still showing the invalid issuer error.

In keychain access, go to View -> Show Expired Certificates. Then in your login keychain highlight the expired WWDR Certificate and delete it.
I also had the same expired certificate in my System keychain, so I deleted it from there too (important).

After deleting the expired certificate from the login and System keychains, I was able to build for Distribution again.

edited Feb 17 '16 at 23:25

Peter Mortensen

30,738
21
105
131

answered Feb 15 '16 at 00:12

AcidicSkittles

4,610
1
15
14

5

Thank you very much. This worked for me as well. It is important to remove the expired certificate from both the login and System keychains. – dfmuir Feb 15 '16 at 01:07
Thank you! this worked perfectly for me. Once I enabled Show expired certificates, there were login and system certs which expired today - February 14, 2016. I was able to delete them and add the WWDR cert from your link. After that it worked perfectly! – sudoExclaimationExclaimation Feb 15 '16 at 02:52
38

Had followed previous advise to delete based on 'Show Expired Certificates', but had only done Login. Also deleting from System did the trick. – markdwhite Feb 15 '16 at 03:08
13

please note, that you need to remove it also from System as well – Soufiane.ess Feb 15 '16 at 20:01
5

For me, I already had the new certificate (that expires in 2023), but I also had the old one that had expired. Both were in my System keychain. Once I removed the old certificate, I was able to build using my Distribution cert. – CoBrA2168 Feb 15 '16 at 21:58
It was the system thing that did it for me too. Apple really screwed up here - without SO there would simply be no way of finding this answer. – HughHughTeotl Feb 16 '16 at 01:30
5

Deleting expired certificate from System is rather most important. – Nitish Feb 16 '16 at 05:49
Maybe worthwhile to note that there is a similar bug in Keychain in which exporting p12 of an item will export the old expired one, unless you delete your old one. If you don't believe it verify with a Java or Python p12 reader. – NoBugs Feb 17 '16 at 04:44
I got stuck where I should have removed the old certificate - couldn't do it due to UNIX permissions error - and this thread just saved my life: http://stackoverflow.com/questions/35511314/unable-to-delete-apple-wwdrc-certificate?noredirect=1#comment58849071_35511314 – o.shnn Feb 25 '16 at 09:31
The full name of the expired certificate you're looking for is "Apple Worldwide Developer Relations Certificate Authority. – Schrockwell Feb 29 '16 at 15:41
followed your steps, did not work... After reboot my mac, It worked.Thank you – hellojinjie Mar 14 '16 at 03:21
Important to note that "Show expired Certificates" must be checked in the Menu in order to be able to see the ones that need to be deleted – Bradley Thomas Mar 26 '16 at 20:07
I was frustrated for a whole friggin' day and turned out I only have to delete one expired certificate. Really nice. – tyegah123 Apr 01 '16 at 08:39
1

This answer helped me, but I wasn't seeing the problem from the Keychain Access app, but from the CI build that uses the security cmd. When CI imported a certificate and tried to use "system find-identity -v keychain" it reported 0 valid identities. Without the "-v" option, it showed the identity, but with a suffix: CSSMERR_TP_CERT_EXPIRED. That initially made us think the cert had expired, but it had not. It wasn't until I tried manually adding the cert to the keychain on the failing machine that we saw that the issuer had expired. Hopefully, this comment helps someone in the same situation. – Lyndsey Ferguson Apr 14 '16 at 15:29
For me it worked right after installing new WWDR Certificate that expires in 2023. Thanks! – Kreutzer Aug 22 '16 at 16:05

mishimay · Answer 2 · 2016-02-15T12:40:09.300

Download https://developer.apple.com/certificationauthority/AppleWWDRCA.cer and double-click to install to Keychain.
Select "View" -> "Show Expired Certificates" in Keychain app.
Confirm "Certificates" category is selected.
Remove expired Apple Worldwide Developer Relations Certificate Authority certificates from "login" tab and "System" tab.

Here's Apple's answer.

Thanks for bringing this to the attention of the community and apologies for the issues you’ve been having. This issue stems from having a copy of the expired WWDR Intermediate certificate in both your System and Login keychains. To resolve the issue, you should first download and install the new WWDR intermediate certificate (by double-clicking on the file). Next, in the Keychain Access application, select the System keychain. Make sure to select “Show Expired Certificates” in the View menu and then delete the expired version of the Apple Worldwide Developer Relations Certificate Authority Intermediate certificate (expired on February 14, 2016). Your certificates should now appear as valid in Keychain Access and be available to Xcode for submissions to the App Store.

https://forums.developer.apple.com/thread/37208

Deleting expired Apple Worldwide Developer cert from key chain only helps but some times keychain does not show up you have quit and open key chain then search again Apple Worldwide Developer and make sure you should be selecting Allkeys. It took hell lot of time to fix this because expired Apple Worldwide Developer cert was still appearing after many deletions. — ashish, Feb 16 '16 at 12:24
Do I need to export the apple push service certificate newly after doing these above steps and upload them in my server? suddenly push notifications are not working. — Nazik, Feb 17 '16 at 05:02
I got stuck in the part where I should have removed the old certificate - couldn't do it due to UNIX permissions error - and this thread just saved my life: http://stackoverflow.com/questions/35511314/unable-to-delete-apple-wwdrc-certificate?noredirect=1#comment58849071_35511314 — o.shnn, Feb 25 '16 at 09:32

technerd · Answer 3 · 2017-10-04T05:07:13.747

This is not actually a development issue. It happens due to expiration of the Apple Worldwide Developer Relations Intermediate Certificate issued by Apple Worldwide Developer Relations Certificate Authority. WWDRCA issues the certificate to sign your software for Apple devices, allowing our systems to confirm that your software is delivered to users as intended and has not been modified.

To resolve this issue, you have to follow the below steps:

Open Keychain Access
Go to View -> Show Expired Certificates

Go to System in Keychain
Here you find that "Apple Worldwide Developer Relations Certificate Authority" is marked as expired. So delete it. Also check under Login Tab and delete expired WWDRCA.
Download new WWDR Intermediate Certificate from here(The renewed Apple Worldwide Developer Relations Certification Intermediate Certificate will expire on February 7, 2023).
Install it by double clicking on it.

If you still face any issue with your iOS apps, Mac apps, Safari extensions, Apple Wallet and Safari push notifications, then please follow this link of expiration.

The Apple Worldwide Developer Relations Certification Intermediate Certificate expires soon and we've issued a renewed certificate that must be included when signing all new Apple Wallet Passes, push packages for Safari Push Notifications, and Safari Extensions starting February 14, 2016.

While most developers and users will not be affected by the certificate change, we recommend that all developers download and install the renewed certificate on their development systems and servers as a best practice. All apps will remain available on the App Store for iOS, Mac, and Apple TV.

need to ensure that its really get deleted..now worked. Thanks. — Preetam Jadakar, Feb 17 '16 at 06:03
That's funny. I had problems with that certificate too, but in a other way — CocoaBean, Feb 18 '16 at 15:09
I got stuck trying to remove the old certificate - couldn't do it due to UNIX permissions error - and this thread just saved my life: http://stackoverflow.com/questions/35511314/unable-to-delete-apple-wwdrc-certificate?noredirect=1#comment58849071_35511314 — o.shnn, Feb 25 '16 at 09:33
How would I ensure this step is taken care of if I am to run a macOS runner using Github actions workflow? — Ankit, Jul 27 '21 at 08:37

score 101 · Answer 4 · edited Feb 26 '16 at 13:19

101

Here is how we fixed this.

Step 1: Open Keychain access, delete "Apple world wide Developer relations certification authority" (which expires on 14th Feb 2016) from both "Login" and "System" sections. If you can't find it, use “Show Expired Certificates” in the View menu.

Step 2: Download this and add it to Keychain access -> Certificates (which expires on 8th Feb 2023).

Step 3: Everything should be back to normal and working now.

Reference: Apple Worldwide Developer Relations Intermediate Certificate Expiration

edited Feb 26 '16 at 13:19

Box Box Box Box

5,094
10
49
67

answered Feb 15 '16 at 01:56

Mohith Km

2,079
1
16
16

1

I got stuck where I should have removed the old certificate - couldn't do it due to UNIX permissions error - and this thread just saved my life: http://stackoverflow.com/questions/35511314/unable-to-delete-apple-wwdrc-certificate?noredirect=1#comment58849071_35511314 – o.shnn Feb 25 '16 at 09:33
1

Thank you, this worked great. Before deleting that cert, I had Reset buttons in Xcode Accounts next to my signing identities, but pressing them did nothing. After deleting the expired "Apple world wide Developer relations certification authority" certificate, I was able to press Reset on each item in Xcode and it cleared it (the Reset button went away). On a side note...my god Apple, can you not make this stuff work better? I swear tens of thousands of hours of developer time have been wasted on these insane certificate/profile/signing issues...just make it work!! – Ben Stahl Feb 27 '17 at 20:39
How would I ensure this step is taken care of if I am to run a macOS runner using Github actions workflow? – Ankit Jul 27 '21 at 08:38

score 38 · Answer 5 · edited Jan 14 '17 at 09:52

38

In Apple's Developer's portal, add a new certificate, and when asked "What type of certificate do you need?" choose "WorldWide developer relations certificate". Generate the new certificate, download and install. The moment you do that, you will no longer see the message you have described.

Edit:
The certificate can be downloaded from the following page: https://www.apple.com/certificateauthority/ You can choose one of the following two certificates: "WWDR Certificate (Expiring 02/07/23)" or "WWDR Certificate (Expiring 02/14/16)"

edited Jan 14 '17 at 09:52

Aamir

16,329
10
59
65

answered Feb 14 '16 at 09:19

Arik Segal

2,963
2
17
29

1

there is no such option appears when we add new certificate – Aamir Feb 14 '16 at 09:23
8

downloaded and installed the new cert but still having the same issue - anything else have to do? – Mr Zorn Feb 14 '16 at 21:22
@MrZorn I'm having the same problem, but just FYI I tried to export the p12 and it worked anyway. – superarts.org Feb 14 '16 at 23:06
4

@MrZorn U need to go View -> show expried -> del the old WWDR cert – Tj3n Feb 15 '16 at 04:47
How would I ensure this step is taken care of if I am to run a macOS runner using Github actions workflow? – Ankit Jul 27 '21 at 08:38

Kondal Kolipaka · Answer 6 · 2016-06-27T03:31:37.870

32

Follow the below steps:

Download and install from here. Double click and install it.
Select "View" -> "Show Expired Certificates" in Keychain app.
Remove Apple Worldwide Developer Relations Certificate Authority certificates from "login" tab and "System" tab in Keychain app.

If you don't find your WWDR certificate in Login or System tab, then select category "All items" on the left side. Most probably you will get to see an expired WWDR certificate here, and you can remove it. An expired certificate is always shown with a red asterisk.

edited Jun 27 '16 at 03:31

answered Feb 15 '16 at 06:54

Kondal Kolipaka

3,471
22
28

How would I ensure this step is taken care of if I am to run a macOS runner using Github actions workflow? – Ankit Jul 27 '21 at 08:38

score 28 · Answer 7 · edited Feb 17 '16 at 23:33

If you are facing the "This certificate has an invalid issuer" error for all your certificates then do the following steps.

Steps:

Open Keychain and Click on Login -> All Items from the left panel.
Now, Click on View -> Show Expired Certificates from the top navigation menu.
Now search for "Apple Worldwide Developer Relations Certification Authority" and delete expired certificates.
After deleting expired certificates, visit the following URL and download the new certificate, https://developer.apple.com/certificationauthority/AppleWWDRCA.cer.
Double click on the newly downloaded certificate, and install it in your keychain.
Double check: List expired certificates by following step number 3.
Now you have a valid "Apple Worldwide Developer Relations Certification Authority" having expiry date 2023-02-07.

Reference:

Apple Worldwide Developer Relations Intermediate Certificate Expiration

How would I ensure this step is taken care of if I am to run a macOS runner using Github actions workflow? — Ankit, Jul 27 '21 at 08:38

score 23 · Answer 8 · edited Feb 17 '16 at 23:42

As described in the Apple Worldwide Developer Relations Intermediate Certificate Expiration:

The previous Apple Worldwide Developer Relations Certification Intermediate Certificate expired on February 14, 2016 and the renewed certificate must now be used when signing Apple Wallet Passes, push packages for Safari Push Notifications, Safari Extensions, and submissions to the App Store, Mac App Store, and App Store for Apple TV.

All developers should download and install the renewed certificate on their development systems and servers. All apps will remain available on the App Store for iOS, Mac, and Apple TV.

The new valid certificate will look like the following:

It will display (this certificate is valid) with a green mark.

So, go to your Key Chain Access. Just delete the old certificate and replace it with the new one (renewed certificate) as Apple described in the document. Mainly the problem is only with the Apple push notification service and extensions as described in the Apple document.

You can also check the listing of certificates in https://www.apple.com/certificateauthority/

Certificate Revocation List:

Now this updated certificate will expire on 2023-02-08.

If you could not see the old certificate then go to the System Keychains and from edit menu and select the option Show Expired Certificates.

Now you can see the following certificate that you have to delete:

How would I ensure this step is taken care of if I am to run a macOS runner using Github actions workflow? — Ankit, Jul 27 '21 at 08:39

score 20 · Answer 9 · edited Sep 16 '16 at 12:31

20

You need to search the World from the top right search bar and delete the expired certificate. Make sure you selected Login and All items.

edited Sep 16 '16 at 12:31

Aamir

16,329
10
59
65

answered Feb 16 '16 at 05:58

Ahsan

827
6
10

1

How would I ensure this step is taken care of if I am to run a macOS runner using Github actions workflow? – Ankit Jul 27 '21 at 08:39

score 16 · Answer 10 · answered Feb 14 '16 at 23:43

16

Just try to set local date earlier than Feb 14. Works for me! Not a complete solution but temporary solve the problem.

answered Feb 14 '16 at 23:43

Vitali Usau

209
1
4

Like you said, this is not a solution. But it's still interesting, that why I won't downvote. – Martin Feb 26 '16 at 08:38

score 6 · Answer 11 · edited Jul 14 '16 at 04:59

6

All my certificates are installed and expire dates are fine.
I deleted and reinstalled all my certificates, still no luck

In the end, I right-clicked on the certificate, and selected "Get Info". Under the Trust section, I selected "Always Trust" and this solved my problem.

edited Jul 14 '16 at 04:59

Aamir

16,329
10
59
65

answered Jul 13 '16 at 11:49

David Bertrand

311
3
4

score 6 · Answer 12 · answered Apr 20 '21 at 13:57

6

If you got here from the Fastlane then this snippet might fix your CI deployments. Execute it before the signing.

 apple_intermediate_certificate_path = "/tmp/AppleWWDRCAG3.cer"
`curl https://www.apple.com/certificateauthority/AppleWWDRCAG3.cer --output #{apple_intermediate_certificate_path}`

other_action.import_certificate(
  certificate_path: apple_intermediate_certificate_path,
  keychain_name: YOUR_KEYCHAIN_NAME,
  keychain_password: YOUR_KEYCHAIN_PASSWORD
)

answered Apr 20 '21 at 13:57

Cyril Cermak

191
2
4

I get this error on import_certificate. `security: SecKeychainItemImport: Write permissions error.` and getting the same error on get_certificate: `Could not create another Distribution certificate, reached the maximum number of available Distribution certificates` @Cyril any thoughts? – adee Apr 22 '22 at 14:20
Hi @adee, do you have the keychain unlocked? You can have a look here; https://docs.fastlane.tools/actions/unlock_keychain/. In my case, I always create a new keychain and I never experienced such errors. Maybe you can try something like that. – Cyril Cermak Apr 22 '22 at 19:12

score 1 · Answer 13 · answered Mar 07 '21 at 03:24

1

in 2021:

Download AppleWWDRCAG3.cer (valid untill 2030) from https://developer.apple.com/support/expiration/
Install it

answered Mar 07 '21 at 03:24

Amazonian

119
8

score 0 · Answer 14 · answered Oct 19 '22 at 09:16

If you are here from fastlane suggestion and still getting this error

after trying all above fixes
security find-identity -v -p codesigning returns valid identities found
error is happening only on build server
if you log in "manually" everything works

then this is probably due to the fact that the distribution certificate is in the wrong place:

"Login" keychain works while logged in
"System" keychain works with build server run as daemon

Check this answer with screenshot, you can just right click distribution certificate in the login keychain and paste it into system.

This certificate has an invalid issuer Apple Push Services

14 Answers14

Linked

Related