How to Sign Secure iOS Apps with a P12 Distribution Certificate
An app developer must sign Android and iOS Mobile apps before they can be installed on a mobile device. The process of acquiring valid signing may be troublesome and requires intimate knowledge with the app’s operation modes, such as which entitlements are needed to tap into the full range of the app’s functionality, creating an iOS distribution certificate, etc. This may come with some difficulties as apps provided by 3rd party vendors rarely come with a detailed manual. Luckily, signing iOS apps on Appdome is easy, effortless, and doesn’t require any prior knowledge. This Knowledge Base article will guide you through all the steps in order to create the necessary credentials for signing iOS apps, so that you can sign secure iOS apps with a P12 Distribution Certificate
We hope you find it useful and enjoy using Appdome!
Creating an iOS Signing Certificate, App ID and Provisioning Profile
This article will guide you through signing iOS apps on Appdome, including signing credentials required to sign the app on Appdome. Signing iOS apps can be done using Appdome built-in signing capabilities or using your own mechanism outside of Appdome. It’s your choice. However, when signing iOS apps on Appdome, the process is quick and easy for any mobile app, including Native iOS/Android, hybrid apps and non-native apps built-in Xamarin, Cordova, React Native, Ionic and more. Signing apps on Appdome will leverage unique capabilities such as the automatic deployment of Fused apps into the Apple App Store and Leading EMM Stores.
Prerequisites for Creating iOS Signing Credentials
A Mac computer
How to Create iOS Signing Credentials (needed for signing iOS apps)
In this knowledge base article, we are going to create the required signing credentials for iOS apps:
Apple Developer or Enterprise Account
Production Distribution Certificate – P12 File
Apple Developer or Enterprise Account
An Apple Developer Program or Apple Enterprise Developer Program account is needed to create a Signing Certificate (P12 file), App ID, Registered Device List, and Provisioning Profile.
This knowledge base article will provide an example using two different types of accounts:
Apple Developer Program Account
You can create an Apple Developer Program Individual account within a few minutes.
With this plan, there are two distribution methods:
App Store – The app can be distributed to any number of devices through the Apple App Store. Devices do not need to be registered. Note: You cannot use App Store distribution if you are distributing apps through an Enterprise Mobility Management (EMM) solution or any other distribution method that is not through the Apple App Store.
Ad Hoc Distribution – Apps can be loaded to 100 iPhones, 100 iPads, and 100 iPod Touches that must be registered by their UDIDs (Unique Device Identifier) within a provisioning profile before signing iOS apps. Note: Ad Hoc Distribution works for distributing apps through an Enterprise Mobility Management (EMM) solution or any other distribution method that is not through the Apple App Store.
Apple Developer Enterprise Program Account
For companies and educational institutions that intend to distribute apps, they develop to employees within their organization. The Apple Developer Enterprise Program does not provide a method to distribute apps through the Apple App Store. Creating an Apple Developer Enterprise account requires you to have a D-U-N-S Number so that Apple can verify your organization’s identity and legal entity status.
In-House Distribution – The app can be distributed to any number of devices through an Enterprise Mobility Management solution or any other distribution method that is not through the Apple App Store. Devices do not need to be registered.
100 iPod Touches that must be registered by their UDIDs (Unique Device Identifier) within a provisioning profile before signing the apps. Note: Ad Hoc Distribution works for distribution apps using an Enterprise Mobility Management (EMM) solutions or any other distribution method that is not through the Apple App Store.
An App ID is a two-part string used to identify one or more apps from a single development team. The string consists of a Team ID and a bundle ID search string, with a period (.) separating the two parts. The Team ID is supplied by Apple and is unique to a specific development team, while the bundle ID search string is supplied by you to match either the bundle ID of a single app or a set of bundle IDs for a group of your apps.
There are two types of App IDs: an explicit App ID, used for a single app, and wildcard App IDs, used for a set of apps. Companies who had an enterprise account before iOS 8 was released use a wildcard App ID, while those who purchased enterprise account afterward can use only explicit APP ID.
Distribution Certificate – P12 File
A P12 certificate file contains a certificate and a private key of the application’s vendor. The certificate must be installed on the machine that will sign the vendor’s applications. A distribution certificate identifies your team/organization within a distribution provisioning profile and allows you to submit your app to the Apple App Store. A P12 file contains the certificates Apple needs in order to build and publish apps. The certificate created in this example will work for an app that will available on the App Store or for an Ad Hoc deployment that will also work with an EMM (Enterprise Mobility Management) solution.
When distributing different iOS apps, they are usually signed with the same distribution certificate. The entity that changes when signing different iOS app is the provisioning profile. A provisioning profile is a collection of digital entities that uniquely ties developers and devices to an authorized iPhone Development Team and enables a device to be used for testing.
There are four types of provisioning profiles you can create for iOS devices.
Development– This type of provisioning profile must be used with a development certificate installed on each device on which you wish to run your application. It is used in the development cycle and allows developers to debug the application. It can only be installed on a set of pre-registered development devices and is not meant for any distribution scenario.
App Store– This type of provisioning profile is matched to a specific distribution certificate. It is used to sign before submitting the application to the official iOS app store. After signing, the app will not install on any device and can only be used to upload to the app store.
Ad Hoc– This type of provisioning profile is matched to a specific distribution certificate. It is used for distributing apps to a limited amount of pre-registered devices. You can use this provisioning profile to distribute apps in a small organization where all devices are registered on the Apple site and are assigned to this provisioning profile, or for testing as part of the development cycle.
In-House – This type of provisioning profile is only available for members of the Apple Developer Enterprise Program. You can use it to sign iOS apps for In House Distribution. Apps can be installed on any iOS device. In-House provisioning profiles are matched to specific distribution certificates.
Note: In-House provisioning profiles are commonly used when distributing apps via an EMM (Enterprise Mobility Management) or MDM (Mobile Device Management) system. If you don’t distribute your app using an EMM or MDM system, users can install your app using the iOS App file, but then they will need to manually trust your organization to launch the app, described in Manually Trusting an Enterprise Developer.
Follow these step-by-step instructions to create iOS signing credentials above:
1. Create an Apple Developer or Enterprise Account
To get started, you will need to have access to an Apple Developer Program or Enterprise account. You can find a list of membership options by clicking here. Once you have an account, from your Mac, go to https://developer.apple.com and navigate to Account to sign in.
If you have an account, you can verify the account Entity Type from the Membership Details as shown in the following screenshot. This example uses an Individual account.
2. Register an App ID
Within your Developer account portal, go to Certificates, IDs, & Profiles and then the Identifiers section and choose App IDs. Then click on + to create a new App ID.
Under App ID description, put your company name or other text to uniquely identify the app.
Under App ID Suffix, choose Explicit App ID. For Bundle ID enter the App Bundle ID which is usually in a reverse domain format like companydomain.appnameor similar. Wildcard App ID is also possible; however, it comes with certain limitations on which App services will be available for the app.
Under Capabilities, check the boxes next to the services the app uses.
Note: If you are using a third-party app or an app provided to you by a developer, you may not know which App Services (entitlements) to select. If you are not publishing on the Apple App Store, and you do not know the App services used, it is OK to select more options than what is actually being used by the app. When signing iOS apps the Appdome platform, the signing process will remove entitlements from the app if the provisioning profile does not have them included. The platform will provide a warning message for this. If the provisioning profile has entitlements that the app does not need, the signing process will continue without making any changes to the app. iOS will disregard entitlements in the provisioning profile that the app does not need.
You will be presented with a preview of the App ID to be created. Once you verify all the information, click Register.
Congratulations! You now have an App ID. Next, we will configure your App ID to support push notifications, create a production distribution certificate and a provisioning profile.
3. Push Notifications
If your app uses push notifications, you must edit the Certificate that your App ID uses to enable push notifications. This will also require the creation of Push Notification SSL certificates as shown in the picture below.
On Apple Developer click Certificates
Create Certificate or Edit Certificates
Under Services enable Push Notification service SSL (Sandbox & Production)
Click Keychain Access –> Certificate Assistant –> Request a Certificate from a Certificate Authority.
Enter your information: Email Address and Certificate Common Name. Note: The CA Email is not needed if you are saving the CSR to disk.
Select the Saved to Disk option and click Continue.
Save the Certificate Signing Request File to a directory of your choice on your Mac.
When done, go back to Apple developer webpage.
To generate your certificate, you will need to import the certificate signing request. Click Continue
Now that Your certificate is ready, click Download to download the certificate to your Mac.
Give the certificate a name with a .cerextension and Save to a location of your choice on your Mac
Locate the certificate in finder and double-click the certificate file name to add to Keychain Access on your Mac. This needs to be done so you can create a P12 file from Keychain Access.
Open Keychain Access on your Mac
From the left navigation panel, under Category, select Certificates
In the search bar type: distribution
Locate your new certificate and expand it by clicking the triangle icon to the left of the certificate name. After expanding, you should see a private key under the distribution certificate.
Right-click the distribution certificate and click Export “iPhone Distribution:” to create a P12 certificate file containing the distribution certificate and the private key.
Give the P12 certificate file a name, specify a location for where to save the file, then click Save. This P12 certificate will be used to sign apps on the Appdome platform.
After saving, you will be prompted to enter a password to protect the P12 certificate file.
Click OK after entering and verifying your password. IMPORTANT: Do not lose this password, it is required for future iOS signing.
If prompted, Allow Keychain Access to export the key from your keychain.
Congratulations! You now have a proper P12 certificate file. Next, we will create a provisioning profile to complete the set of signing credentials.
4. Create a Provisioning Profile
Within your Developer Portal account, go to the Provisioning Profiles section and choose Distribution. Then click on + to create a new Provisioning Profile.
Under Distribution choose the distribution type:
For an Individual account select Ad Hoc or for an Enterprise account select In-House and click Continue.
IMPORTANT: If you are planning on fusing your app with a 3rd party EMM SDK on the Appdome platform, you will need an Enterprise Account to have unlimited devices. Individual Developer account can create an Ad Hoc Distribution certificate for proof of concept for small organizations.
Register Devices for Ad Hoc Distribution
If you choose Ad Hoc Distribution, from either account type, the distribution of the app is limited to a list of registered 100 iPhones, 100 iPads, and 100 iPod Touches. Registering each device will require adding its Devices Unique Device Identifier (UDID) to the device list included in the provisioning profile. You can obtain the UDID for a device using iTunes, Xcode, or by web browsing from your device with Safari to https://get.udid.io which allows you to email the result.
From Xcode, go to the Top Menu Bar, select Window> Devices. If your device is connected to your Mac, you will be to select it to see it’s 40-digit identifier.
Registering devices can be done one at a time or by importing a list of devices.
From your developer.apple.com account, go to Devices > All then click +
Register Device – Add a description for the device in the Name field and the UDID then click Continue. Repeat for each the devices you wish to test with
Register Multiple Device – In order to register multiple devices, you can retrieve the format for a multiple register upload file by clicking on the Download sample files. The following screenshot shows the file format for iPhones.
Select the App ID that was created earlier and click Continue.
Select the Production iOS Distribution Certificate that was created earlier. IMPORTANT: If you have multiple distribution certificates, ensure you note the one you select here. You will need the P12 file containing the selected certificate as well as the private key to sign the app.
If you are creating an Ad Hoc provisioning profile, you will need to select the Device list for permitted devices. In-House provisioning profile will not prompt you to select a device list.
Enter a name for the profile: Your-Company-iOS-Provisioning and click Continue
Download the newly created provisioning profile.
Congratulations! You now have a provisioning profile and are ready to sign your iOS apps.
After Creating Signing Credentials for signing iOS apps:
Now you are all set to fuse, sign and deploy apps on Appdome. For information please read the knowledge base articles on: