Skip to content

Instantly share code, notes, and snippets.

@jcward
Created April 14, 2017 15:08
Show Gist options
  • Save jcward/d08b33fc3e6c5f90c18437956e5ccc35 to your computer and use it in GitHub Desktop.
Save jcward/d08b33fc3e6c5f90c18437956e5ccc35 to your computer and use it in GitHub Desktop.
Generating iOS P12 / certs without Mac OSX Keychain (on linux, windows, etc)
1) Generate a private key and certificate signing request:
openssl genrsa -out ios_distribution.key 2048
openssl req -new -key ios_distribution.key -out ios_distribution.csr -subj '/emailAddress=me@example.com, CN=Example, C=US'
2) Upload CSR to apple at: https://developer.apple.com/account/ios/certificate/create
- choose Production -> App Store and Ad Hoc
3) Download the resulting ios_distribution.cer, and convert it to .pem format:
openssl x509 -inform der -in ios_distribution.cer -out ios_distribution.
4) Download Apple's Worldwide developer cert (from portal) and convert it to pem:
openssl x509 -in AppleWWDRCA.cer -inform DER -out AppleWWDRCA.pem -outform PEM
6) Convert your cert plus Apple's cert to p12 format (choose a password for the .p12):
openssl pkcs12 -export -out ios_distribution.p12 -inkey ios_distribution.key -in ios_distribution.pem -certfile AppleWWDRCA.pem
Finally, update any provisioning profiles with the new cert, and download from dev portal.
If you like to GPG your certs and store them in your repo:
tar -cf ios_distribution.tar ios_distribution.* *.mobileprovision Apple*
gpg -c ios_distribution.tar
Decrypt and untar using:
gpg --decrypt ios_distribution.tar | tar -x
Here's a .gitignore that ignores everything in the directory (aka, certs and
keys, which you don't want to check in) except the .gpg file and itself:
*
!*.gpg
!.gitignore
@saumya
Copy link

saumya commented Apr 14, 2017

Thats a most needed one :) Thank you for the write up.

@jrichardsz
Copy link

Hi

I try to access to : https://developer.apple.com/account/ios/certificate/create

But is redirecting me to this new url :

https://developer.apple.com/account/#/welcome

Some payment is required? Or only users with an ios mobile or mac laptop can access to :

https://developer.apple.com/account/ios/certificate/create

Thanks

@avisigalli
Copy link

Seems that if you don't have any Apple device (iPhone, iPad or Mac) then you're not able to access the section of the website in which you can submit your request for a certificate, am I correct?

@jkrysakowski
Copy link

openssl x509 -inform der -in ios_distribution.cer -out ios_distribution.

There is missing extension at the end. It should be:

openssl x509 -inform der -in ios_distribution.cer -out ios_distribution.pem

@OriIdan
Copy link

OriIdan commented Feb 7, 2019

Step 4 says:
Download Apple's Worldwide developer cert (from portal) and convert it to pem:

My question is what portal? I didn't find how to download it.

@saulmoralespa
Copy link

Download Apple's Worldwide developer cert https://developer.apple.com/certificationauthority/AppleWWDRCA.cer

@omidraha
Copy link

Some payment is required for section 2?

@JasonZGameDev
Copy link

Hi

I try to access to : https://developer.apple.com/account/ios/certificate/create

But is redirecting me to this new url :

https://developer.apple.com/account/#/welcome

Some payment is required? Or only users with an ios mobile or mac laptop can access to :

https://developer.apple.com/account/ios/certificate/create

Thanks

U will have to enroll in the apple developer program thingy
image

@florianjeanmart
Copy link

Tested from Ubuntu 20 to create a .p12 for bitrise : sadly it didn't work :

image

@migwellian
Copy link

AppleWWDRCA.cer

Download Apple's Worldwide developer cert https://developer.apple.com/certificationauthority/AppleWWDRCA.cer

This one expired in February 2023. See https://developer.apple.com/support/expiration/ for details.

@migwellian
Copy link

migwellian commented Sep 27, 2023

I was getting an error in the Unity Developer console when trying to create a build target:

Failed to update credentials. The .p12 file failed validation against Apple CA chain

By trial and error I discovered that the fix was to use -CAfile instead of -certfile in the openssl pkcs12 -export command. I hope this helps somebody!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment