Article

Generate iOS Signing Certificates and Provisioning Profiles

5 min read

iOS signing in Kobiton environments involves three related tasks: understanding how iOS code signing works, generating signing certificates and provisioning profiles, and importing those files into a device host.

This guide focuses on generating signing certificates and provisioning profiles. For related tasks, see the guides listed in Related guides at the end of this document.

Overview

This guide explains how to generate the signing certificate and provisioning profile required for iOS app signing.

In iOS workflows, two files are typically required:

● a signing certificate (.p12), which is used to sign the app during the build process

● a provisioning profile (.mobileprovision), which authorizes the signed app to run on specific devices

These files are generated using the Apple Developer portal and Keychain Access on macOS.

This guide covers:

● creating a certificate signing request (CSR)

● generating an Apple Development certificate

● exporting the certificate as a .p12 file

● creating a development provisioning profile

● editing an existing provisioning profile when devices or certificates change

Prerequisites

Before generating certificates and provisioning profiles, ensure the following requirements are met:

● You are enrolled in the Apple Developer Program or Apple Developer Enterprise Program

● Your developer account has an available Apple Development certificate slot

● You have access to a macOS machine with Keychain Access

● You have permission to access Certificates, Identifiers & Profiles in the Apple Developer portal

● You have the UDIDs of any devices that will be authorized for development builds

If managing multiple host machines, it is recommended to generate certificates and provisioning profiles on a limited number of machines for easier management.

Generate an Apple Development certificate

Create a Certificate Signing Request (CSR)

A certificate signing request (CSR) is used to generate the Apple-issued signing certificate.

  1. Open Keychain Access on the macOS machine.
  2. From the menu bar, select
    Keychain Access → Certificate Assistant → Request a Certificate From a Certificate Authority.
  3. Enter the following information:

○     Email Address

○     Common Name

  1. Leave CA Email Address empty.
  2. Select Saved to disk.
  3. Save the generated .certSigningRequest file.

When the CSR is created, macOS automatically generates a public/private key pair in the Login keychain.

This key pair must remain in the keychain. If it is removed, the resulting certificate cannot be used.

Create the development certificate in Apple Developer

  1. Log in to the Apple Developer portal.
  2. Navigate to Certificates, Identifiers & Profiles.
  3. Select Certificates.
  4. Select the + button to create a new certificate.
  5. Choose Apple Development, then select Continue.
  6. Upload the .certSigningRequest file generated earlier.
  7. Select Continue.
  8. Download the generated .cer certificate file.

This certificate must be downloaded and installed on the same machine where the CSR was created.

Export the certificate as a .p12 file

The .p12 file contains both the certificate and its associated private key.

  1. Open Keychain Access.
  2. Select the Login keychain.
  3. Import the downloaded .cer certificate.
  4. Expand the certificate to confirm that a private key is associated with it.
  5. Select both the certificate and its private key.
  6. Right-click and select Export 2 items.
  7. Choose Personal Information Exchange (.p12) as the file format.
  8. Save the file.

You will be prompted to set a password to protect the certificate.

Store the .p12 file securely and transfer it to any machines that require signing access.

If the imported certificate does not display a private key, confirm that:

● The certificate was imported on the same machine where the CSR was created

● the original key pair in the Login keychain has not been deleted

Generate a Development Provisioning Profile

Provisioning profiles determine which devices and certificates are authorized to run a signed app.

Create an App ID (if required)

If an appropriate App ID does not already exist:

  1. Log in to the Apple Developer portal.
  2. Navigate to Identifiers.
  3. Select the + button.
  4. Choose App IDs, then select Continue.
  5. Select App as the identifier type.
  6. Enter:

○     an App ID description

○     a Bundle ID

Wildcard bundle IDs can be used when signing multiple apps that share the same domain.

Only one App ID can be associated with a provisioning profile.

Register Device UDIDs

Development provisioning profiles require the UDIDs of devices that will run the signed app.

  1. Navigate to Devices in the Apple Developer portal.
  2. Select the + button.
  3. Enter the device name and UDID.
  4. Select Register.

Multiple devices can also be registered using Apple’s bulk upload method.

Create the Development Provisioning Profile

  1. Navigate to Profiles in the Apple Developer portal.
  2. Select the + button to create a new profile.
  3. Choose iOS App Development under Development.
  4. Select the appropriate App ID.
  5. Select the Apple Development certificate created earlier.
  6. Select the registered device UDIDs.
  7. Enter a provisioning profile name.
  8. Select Generate.

Download the generated .mobileprovision file.

This file can now be used on host machines to authorize apps signed with the corresponding certificate.

Edit an existing provisioning profile

Provisioning profiles can be edited to add new devices or certificates.

  1. Navigate to Profiles in the Apple Developer portal.
  2. Select the provisioning profile to modify.
  3. Select Edit.
  4. Update any of the following:

● profile name

● associated certificates

● authorized device UDIDs

● App ID

  1. Select Save.
  2. Download the updated provisioning profile.

After editing a profile, the updated .mobileprovision file must be redistributed to any machines that use it.

Editing a provisioning profile resets its expiration date.