Renewing an Expired Apple Distribution Certificate (iOS)

I’ve just received the dreaded E-Mail saying my Distribution Certificate would no longer be valid in 30 days. That certificate is used to sign the Camjam photo sharing app - or at least I think that’s what it’s used for.

Camjam is built using an Azure DevOps build pipeline so I’ll ultimately have to replace some Secure Files there.

These are the steps that I’ve finally come up with:

1) Generate the Certificate

Here, you’ll end up with a *.p12 certificate file which will later be uploaded to Azure Pipelines.

You need to do this on a Mac.

1. Follow the steps on https://help.apple.com/developer-account/#/devbfa00fef7 to Create a certificate signing request which are:
   1. Launch Keychain Access located in /Applications/Utilities.
   2. Choose Keychain Access > Certificate Assistant > Request a Certificate from a Certificate Authority.
   3. In the Certificate Assistant dialog, enter an email address in the User Email Address field.
      (I entered the main email of the company publishing Camjam.)
   4. In the Common Name field, enter a name for the key (for example, Gita Kumar Dev Key).
   5. Leave the CA Email Address field empty.
   6. Choose Saved to disk, and click Continue.
2. Go to Certificates in the Apple Developer portal at https://developer.apple.com/account/resources/certificates/list
3. Klick the little blue icon with the + symbol next to Certificates.
4. Choose Apple Distribution and click Continue.
5. Coose the file you created in step 1.6.
6. On the Download Your Certificate page, click Download and save the file.
7. In Finder, double-click the file you just downloaded.
   (This will add the certificate to your key chain and display it there.)
8. Right click the new certificate in the key chain program and export.
   (This generates a *.p12 file which you’ll need in Azure Pipelines.)
9. You will be prompted to enter a password. Use the password from when you exported the previous certificate (i.e. a year ago). If you don’t know that password any more, make up a new one.
   If you’ve entered a new password, you’ll need it later in Azure Pipelines.

2) Update the existing Provisioning Profile

Here, you’ll end up with a file containing your updated Provisioning Profile which will later be uploaded to Azure Pipelines.

1. Go to Profiles in the Apple Developer portal at https://developer.apple.com/account/resources/profiles/list and click on your existing profile.
   Remember: This post is about an App that’s already in the App Store, so there must be an existing profile.
2. Click Edit
3. Under Certificates select the entry with the later expiration date (i.e. the certificate just added).
4. Click Save
5. Download the Provisioning Profile you’ve just edited.

3) Replace the Secure Files in Azure Pipelines

In the Library of your Azure Pipelines project, you should already have two Secure Files. One for the Certificate (*.p12) and one for the Publishing Profile.

1. In Azure Pipelines, navigate to Library > Secure Files
2. In the list of Secure Files, there should be one for the Certificate and one for the Provisioning Profile already. Change the names of both of them (e.g. add a suffix “_expired” to both).
3. Upload the Certificate (*.p12) and after uploading, change its name to the respective original Secure File entry.
4. Upload the Provisioning Profile (*.mobileprovision) and after uploading, change its name to the respective original Secure File entry.
5. Optional: If you’ve entered a new password while you generated the *.p12 file, you also have to update the variable that holds it. You can find out that variable’s name by checking out your build yaml. It’s the value of certPwd of the InstallAppleCertificate@2 task.

4) Clean up

1. Try if your build that’s using the two Secure Files succeeds.
2. If the build succeeds, you might want to delete the two old Secure Files (the ones you’ve renamed above).
3. If you’ve made up a new password for the *.p12 file, it’s a good idea to note it somewhere.