How to create Apple Certificates for App Signing

How to create Apple Certificates for App Signing

Note: During this guide you will see x.y@z.com used in the place of an AppleID email. You should replace that with your own AppleID email.

Step 1 – Obtain an Apple Developer Account

This is the only step that will require payment. An Apple developer account will cost you 99$/year and can be created at the Apple Developer website.

Step 2 – Create the CSR

Next we’ll create the Certificate Signing Request which we will be able to upload to Apple for, you guessed it, signing! 🙂

First open the Keychain Access App and navigate to the following button:

Keychain Access > Certificate Assistant > Request a Certificate From a Certificate Authority…

This will open the Certificate Assistant which will prompt you to enter your Apple ID Email and the certificate Common Name. The Common Name can be whatever you want, ie “ENATIK dev key”.

Make sure you select Saved to disk as the request saving type. The field CA Email address can be left empty.

The Certificate Assistant window with some example values.

Click Continue, this will prompt you to save the .certSigningRequest file somewhere on your device.

Once the file is created head to the Apple New Certificate menu (either navigate through the Apple Developer website or click here to go straight to it)

Step 3 – Selecting the type of Apple Certificate

If you are following our guide for App Releasing on MacOS, you will need the “Developer ID Application“. You will also need the “Developer ID Installer” if you are shipping your app within a .pkg file. You can safely ignore the rest of Step 3.

This part can be tricky and I see it tripping people up all the time, so I have created a table for reference. Make sure to choose the correct type of certificate. Picking the wrong one will result in signature validation errors that will leave you pulling your hair out.

The Certificate Picker 9000! Follow this guide to avoid picking the wrong certificate type for your application

I am not sure why Apple makes it so complicated but I am sure they have their reasons.

Step 3.1 – The In-Depth guide

For those interested in a more detailed explanation I have created a table for reference.

Terminology:

iDevices – iPhones, iPads, Apple Watches, Apple TVs, iPods and others
Macs – Macbooks, iMacs, Mac Pros, Mac Minis and others
Ad Hoc – Apple’s term for direct download apps. These are subject to pretty strict requirements including having to hardcode your target devices into your app before signing. Not for the faint of heart or covered here.
AppStore – The App Store on the target platform. These certificates CANNOT be used to sign apps for distribution outside the App Store unless you are targeting an Ad-Hoc distribution.

Certificate NameYou need it forYou Can Sign
Apple DevelopmentInstalling testing versions of your apps on OTHER people’s iDevices. Requires Xcode 11+iDevices apps (testFlight testing)
Mac apps (testing*)
Apple DistributionSigning apps for submission to the App Store for iDevices and Macs. Requires Xcode 11+iDevice apps (AppStore or Ad Hoc)
Mac apps (AppStore)
iOS App DevelopmentInstalling testing versions of your apps on OTHER people’s iDevices.iDevices apps (testFlight testing)
iOS Distribution (App Store and Ad Hoc)Signing apps for submission to the App Store for iDevices.iDevice apps (AppStore or Ad Hoc)
Mac DevelopmentNot very useful*Mac apps(testing*)
Mac App DistributionSigning apps for submission to the App Store for Macs.Mac apps(AppStore)
Mac Installer DistributionSigning installers for submission to the App Store for Macs.Mac installers(AppStore)
Developer ID InstallerSigning installers for direct distribution for Macs.Mac installers(direct)
Developer ID ApplicationSigning apps for direct distribution for Macs.Mac apps(direct)
* Generally Mac Apps do not require testing certificates because you can just bypass Gatekeeper during development, however there are exceptions when using certain system APIs during testing.

Step 4 – Obtaining the certificate

After selecting the type of certificate Apple will prompt you to upload your .certSigningRequest file we generated earlier. Once that’s done it should only take a few seconds for your certificate to be approved. You can now download your certificate and should do so.

Click the Download button to download your new certificate

You should now install the certificate by double-clicking the .cer file you just downloaded. This will add an entry to your Keychain Access login chain. You can find your new certificate under “My Certificates

Your certificate is now ready to use!