How to create P12 certificate for iOS distribution

Question

We have an iOS app whose push notification cert has expired and we're trying to create a new one. I've created new certs in the Provisioning portal (ios_developer.cer, ios_distribution.cer) and downloaded them. I was following instructions here on Stack Overflow to convert it to PEM and then to P12 files, but I'm stuck. When I then attempt to convert the PEM to P12, it wants a private key of some sort, and I don't know where to get it.

I've also tried loading these into Keychain Access. I had read that you could export them as P12 from there, but when I do the Import, they don't appear anywhere.

I found a solution here,https://www.iosenterpriseaccount.com/how-to-create-p12-certificate-for-ios-distribution — user1329261, Apr 22 '23 at 07:21

score 160 · Accepted Answer · answered Feb 23 '12 at 18:11

160

Your private key is generated when you created the signing request in Keychain Access. After the cert is generated and downloaded, double-clicking it will add it to Keychain Access where it will be matched up with the private key. You can then select the cert, and open the arrow to also select the private key and export them together as a .p12 file from Keychain Access.

answered Feb 23 '12 at 18:11

picciano

22,341
9
69
82

Thanks.. okay so it looks like what I need to do is get my employer's certificate imported into my Mac. But he doesn't have a Mac and we don't know of anywhere it is installed. Do you know how I can download/import this from the Dev Center? Thanks. – RobG Feb 23 '12 at 18:55
13

Nevermind; figured it out. Man no wonder people have such trouble with this... it's confusing! – RobG Feb 23 '12 at 21:51
18

Would be nice but p12 is greyed out for me :( – Rob Sep 04 '13 at 16:51
23

@Rob you need to select the private key and not the whole cert. In the Keychains on top left select "Login" then underneath in Category select "certificates" you'll see you cert has a drop arrow now, click it and the private key will show right click and export hat as a .p12 – tutts Oct 02 '13 at 23:51
4

@rocky What if I don't get the expand option? Does that mean that the key is missing from the cert? – user1354603 Jan 10 '14 at 08:11
@user1354603 there should be a public and private key in the same location, public doesn't have the drop select option. Once you created the private key, did you double click it to add it to the keychain? Maybe detail what you've done so far... – tutts Jan 12 '14 at 07:21
7

I am not getting the drop-down option either. I double-clicked the certificate after downloading, and it shows up in the login keychain, but not under the private key. I only see it under Certificates, there is no connection between the key and certificate that I can see. – setherj Jul 10 '14 at 19:50
7

same here. No dropdown, p12 grayed-out – trainoasis May 25 '15 at 10:29
@Rob. i accidentally deleted my private key form ke-chain. so now i cant see private key below certificate. i have CSR file how to install private key again from CSR? – Avijit Nagare Mar 18 '16 at 14:19
@AvijitNagare You cannot. The CSR does not contain the private key. It was only stored in your keychain unless you manually copied it somewhere else. You will need to generate a new key pair. – picciano Mar 18 '16 at 14:59
You should not click the dropdown and select both items. Just select the certificate itself and then export. Right click should show "Export certficiate..." not "Export 2 items" – Max Phillips Feb 21 '18 at 00:47
1

If you don't see the dropdown arrow on the left of the cert, then first select "Certificates" or "My Certificates", it doesn't display the arrow if you select "All Items" /: – Yusuf X Mar 16 '18 at 21:40
My private key and my cert seem to be in two different places in keychain. One under login and the other under login2. When I export the private key as a .p12 it works but when I upload it to firebase it says "There was an error reading your certificate". – MadMac Sep 03 '19 at 06:02
I had to drag the keys to login2 and then I got the drop down arrow and the export worked properly. Before that I could export the keys but they would not work. – MadMac Sep 03 '19 at 06:25

score 125 · Answer 2 · edited Mar 15 '21 at 11:54

125

.p12 files are used to publish app on the Apple App Store

A. On your Mac Create a (.certSigningRequest) CSR file

Open Keychain Access from Utilities
From Keychain Access toolbar select Keychain Access -> Preference
In the pop up window select Certificates tab
Set both “Online Certificate Status Protocol” and “Certificate Revocation List” to “Off"
Close this window
Now from toolbar, open Keychain Access > Certificate Assistant > Request a Certificate From a Certificate Authority
Enter email address and common name that you used to register in the iOS Developer Program
Keep CA Email blank and select “Saved to disk” and “Let me specify key pair information”
Click Continue
Choose a filename & destination on your hard drive
Click Save
In the next window, set “Key Size” value to “2048 bits”
Set “Algorithm” to “RSA”
Click Continue

This will create and save your certSigningRequest file (CSR) to your hard drive. A public and private key will also be created in Keychain Access with the Common Name entered.

B. Create ".cer" file in iOS developer account

Login to apple developer account Click “Certificates, Identifiers & Profiles”
Click “Provisioning Profiles”
In the “Certificates” section click “Production”
Click the “Add” (+) button at the top-right of the main panel
Now, choose “App Store and Ad Hoc”
Click Continue
Click “Choose File” & find CSR file you’ve made from your hard drive
Click Generate
Click Download to get the file

C. Install .cer and generate .p12 certificate

Find .cer file you’ve downloaded and double-click
Set Login drop-down to “login" and Click Add
Open up KeyChain Access and you'll find profile created in Step A
You can expand “private key” profile (shows certificate you added)
Select only these two items (not the public key)
Right click and click “Export 2 items…” from popup
Now make sure file format is “.p12” and choose filename and destination on your hard drive
Click Save. Now, you’ll be prompted to set a password but keep these both blank
Click OK. Now, you have a .p12 file on your hard drive

Take a note that if issue still persists then try below step as well:

If your keychain is present in iCloud then remove all keychain content from iCloud and do new setup in iCloud This should work.

edited Mar 15 '21 at 11:54

Matas Vaitkevicius

58,075
31
238
265

answered Mar 10 '15 at 11:46

Jayprakash Dubey

35,723
18
170
177

1

i accidentally deleted my private key form ke-chain. so now i cant see private key below certificate. i have CSR file how to install private key again from CSR? – Avijit Nagare Mar 18 '16 at 14:19
1

Had a really hard time figuring out the apple process of getting a .p12 file generated as i am a windows phone guy and this post really helped me understand it. – Mohammed Aamir K May 23 '16 at 23:44
1

Very useful instructions. Thanks a lot. It saved a lot of time. – Alok C Aug 04 '16 at 02:54
Why set 'Online Certificate Status Protocol' and the other to off? – Nate Feb 28 '17 at 21:28
In my case, just exporting the certificate (parent of private key) worked. Exporting both certificate and private key did not work. Read @Jessicardo's answer below. – Gautam Jain Jun 08 '18 at 10:05
I can't see anything under 'My certificates'. Followed the steps above – Nazar Medeiros Jan 10 '20 at 19:56
@NazarMedeiros: Do it again. You should be able to see it. – Jayprakash Dubey Jan 13 '20 at 11:19
I have tried it almost 50 times now. Created SigningCertificateRequest on my new mac. Uploaded it to the developer portal to be able to download Apple Push notifications certificate. When double clicking on it, certificate is not imported to „my certificate“ – Nazar Medeiros Jan 13 '20 at 11:23
1

I solved this issue. To explain you what I did: Make sure that your keychain doesn't appear in the iCloud. Once it is there, there is a risk that you get the issue above. I deinstalled everything, made a new setup without using the data in my iCloud, then it worked. – Nazar Medeiros Mar 30 '20 at 10:31
Sorry to bother, but what do you mean Keep them both blank ( Step C.8 above)? Keep the passwords blank? I tried that, but when trying to publish via Animate 2020 it requires a password for the p.12 file? – FlashV8 Jul 17 '20 at 04:13

score 42 · Answer 3 · answered Feb 25 '13 at 20:48

42

you will not get the expand option unless you filter by choosing (Certificates) from key chain left bottom corner

answered Feb 25 '13 at 20:48

albaiti

706
7
10

score 39 · Answer 4 · edited May 23 '17 at 12:34

39

OK, problem solved! it seems that when i double click on the certificate, it automatically installs it in the SYSTEM keychain - i don't know why. So instead, i simply drag and drop the certificate into the LOGIN keychain and then all is good. Thanks to this article -> Adding certificates to keychain and generating .p12 file format - alon rosenfeld 10 months ago

edited May 23 '17 at 12:34

Community

1
1

answered Dec 04 '13 at 00:45

Abraham Lopez

391
3
2

1

Oh, wow. I spent hours trying to figure this out. I would have wasted another week if it weren't for this answer. – B Seven Jan 21 '14 at 19:23
1

Thank you so much. I wasted hours trying to figure this out. – SaltedBlowfish Jun 09 '15 at 22:35
1

Yep, wasted hours of time, saved :) – Sahan May 19 '16 at 10:17
1

Still works in 2020. This answer saved a macbook that was about to be smashed into the wall after two days of fighting "No iOS signing identities match the specified provisioning profile." – Raghu Oct 25 '20 at 06:12

score 12 · Answer 5 · answered Jul 18 '19 at 05:22

To get your p12 file go this way..

Step 1. In XCode > Go to Project settings > General > Signing section > Signing Certificate

See which certificate you are using for this particular app as shown in image below

Step 2. Open Keychain > on Left bottom Category section > Certificates

Look for the certificate and open child by clicking on down arrow as show in image

Step 3. Right click and export as "Certificates.p12" by giving your password eg. "123456"

I don't have that arrow to expand – Nazar Medeiros Jan 10 '20 at 19:51 — Nazar Medeiros, Jan 10 '20 at 19:51

score 8 · Answer 6 · answered Feb 21 '18 at 08:13

8

For anyone else having the greyed/grayed out P12 option:

Make sure you are in the My Certificates or Certificates category in Keychain Access.

https://sailthru.zendesk.com/hc/en-us/articles/115000032546-Can-t-export-my-certificate-in-p12-format

answered Feb 21 '18 at 08:13

Dirk Boer

8,522
13
63
111

1

Totally saved me – Natalia Terlecka Mar 14 '22 at 15:19
That's where the intenet is for – Dirk Boer Mar 14 '22 at 15:26

Lai Lee · Answer 7 · 2021-10-12T16:29:00.863

8

For anyone else having the greyed/grayed out P12 option,

here is the latest screenshot (2021) from my macbook pro.

edited Oct 12 '21 at 16:29

answered Oct 12 '21 at 16:23

Lai Lee

1,054
14
17

1

this step is crucial! – d3vtoolsmith Dec 29 '22 at 21:07

score 4 · Answer 8 · answered May 28 '16 at 14:36

4

For anyone still having this issue, the solution for me was to NOT select both and "Export 2 items" (the key and the certificate) - rather just export the certificate which ALREADY includes the key. As of 2016 i think this is the way to do it because previous uploads that worked with the export 2 items no longer work.

answered May 28 '16 at 14:36

Jessicardo

826
1
8
12

I can't export only the certificate as p12 - are you sure this is the correct way? – Steven Matthews Jul 31 '17 at 22:06
Same here. This is very important. – Gautam Jain Jun 08 '18 at 10:06

score 3 · Answer 9 · answered Nov 10 '20 at 15:07

I ended up here as I was trying to build an iOS app in the cloud using MS Visual Studio App Center WITHOUT a Mac. The issue is every tutorial uses the top rated answer above by Jayprakash Dubey. That approach uses a Mac and KeyChain. The solution comes from SO here.

You need a Key (aps_development.key), and then:

Create key pair : openssl genrsa -out aps_development.key 2048
Create CSR : openssl req -new -sha256 -key aps_development.key -out aps_development.csr
Upload the CSR to developer portal to get the certificate aps_development.cer
Convert the certificate: openssl x509 -inform DER -outform PEM -in aps_development.cer -out aps_development.pem
Build the PKCS#12: openssl pkcs12 -inkey aps_development.key -in aps_development.pem -export -out aps_development.p12

You can then go ahead and make an app id and a provisioning profile. This will allow you to build in the App Center.

App Center itself does use Macs in the Cloud to build iOS apps. App Center Build also expects your app is able to build in a local Mac environment. So this approach is unsupported and could have unforeseen issues, even if it works right now. — user62171, Dec 09 '20 at 17:34
I needed to use my Windows machine to generate the CSR and convert the CER to P12 for CodeMagic and these instructions worked perfectly. — zechariahs, Dec 28 '21 at 16:25

How to create P12 certificate for iOS distribution

9 Answers9

Linked