Account Help
Account Certificates Certificates overview
Certificates overview
During the course of developing your app, you’ll create different certificate types for use in different contexts. You’ll use the same set of certificates for iOS, tvOS, and watchOS apps, and a different set of certificates for macOS apps. If you’re using Xcode 11 or later, you can create unified development and distribution certificates for all platforms. You’ll use development certificates to run your app on devices and use app capabilities for testing, and distribution certificates to distribute your app and to upload it to App Store Connect.
Development certificates belong to individuals. You can create a total of two iOS development certificates and two Mac development certificates. In your developer account, the computer name is appended to the development certificate name (for example, Gita Kumar (Work Mac) where Work Mac is the computer name) so you can identify them.
Distribution certificates belong to the team and only one type of each distribution certificate (with the exception of Developer ID certificates) is allowed per team. Only the Account Holder or Admin role can create distribution certificates (if you’re enrolled as an individual, you are the Account Holder).
You can create and revoke certificates using either Xcode or your developer account.
Protecting your account and certificates
Your Apple Account, authentication credentials, and related account information and materials (such as Apple Certificates used for distribution or submission to the App Store) are sensitive assets that confirm your identity.
- Keep your Apple Account and authentication credentials secure and do not share them with anyone. To learn more, see Security and your Apple Account.
- Do not share Apple Certificates outside of your organization. To learn how to securely share them with trusted team members within your organization, see Maintain Signing Assets in Xcode Help.
Certificate types
The certificate type helps to identify a certificate in your developer account and Xcode.
|
Type |
Purpose |
||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
Apple Development |
For use with Xcode 11 and later. Run an iOS, macOS, tvOS, or watchOS app on devices and use certain app services during development. |
||||||||||
|
Apple Distribution |
For use with Xcode 11 and later. Distribute your iOS, macOS, tvOS, or watchOS app on designated devices for testing or submit it to the App Store. |
||||||||||
|
APNs Auth Key |
Generate server-side tokens as an alternative to certificates for your notification requests. |
||||||||||
|
Apple Push Services |
Establish connectivity between your notification service and APNs to deliver remote notifications to your app. |
||||||||||
|
iOS Development |
Run an iOS, tvOS, or watchOS app on devices and use certain app services during development. |
||||||||||
|
iOS Distribution |
Distribute your iOS, tvOS, or watchOS app on designated devices for testing or to submit it to the App Store. |
||||||||||
|
Mac Development |
Enable certain app services for a Mac app during development and testing. |
||||||||||
|
Mac App Distribution |
Sign a Mac app before submitting it to the Mac App Store. |
||||||||||
|
Mac Installer Distribution |
Sign and submit a Mac Installer Package, containing your signed app, to the Mac App Store. |
||||||||||
|
Developer ID Application |
Sign a Mac app before distributing it outside the Mac App Store. |
||||||||||
|
Developer ID Installer |
Sign and distribute a Mac Installer Package, containing your signed app, outside the Mac App Store. |
||||||||||
|
Apple Pay |
Decrypt app transaction data sent by Apple to a merchant/developer. |
||||||||||
|
Merchant Identity |
Authenticate you to Apple Pay Servers. |
||||||||||
|
Pass Type ID |
Sign and send updates to passes in Wallet. |
||||||||||
|
Swift signing |
For use with Swift Package Manager version 5.9 or later. Sign Swift packages and package collections for distribution. |
||||||||||
|
VoIP Services |
Establish connectivity between your notification server and APNs to alert background VoIP apps of incoming activity. |
||||||||||
|
WatchKit Services |
Establish connectivity between your notification server and APNs to update ClockKit complication data. |
||||||||||
|
Website Push ID |
Sign and send updates for Websites. |
||||||||||
|
MDM Vendor CSR signing |
Sign MDM Solution customers or your own Certificate Signing Requests (CSRs) to generate an MDM Push Certificate at identity.apple.com. This certificate is available by request, learn more. |
||||||||||
|
App License Delivery encryption and signing |
App License Delivery (ALD) signing and encryption certificates enable generating app license requests for eligible apps. |
||||||||||
Note: In your keychain, a signing certificate name contains a hint to the type, and includes the team name and Team ID.
Expired or revoked certificates
- App License Delivery (ALD) certificates
If your certificate expires or is revoked, the ALD certificates won’t be able to generate or encrypt valid App License request. App License requests that were requested and created while the certificate was active are not affected by certificate expiration or revocation. - Apple Push Notification Service Certificate
You can no longer send push notifications to your app. - Apple Pay Payment Processing Certificate
Apple Pay transactions in your apps and on your websites will fail. - Apple Pay Merchant Identity Certificate
Apple Pay transactions on your websites will fail. - Pass Type ID Certificate (Wallet)
If your certificate expires, passes that are already installed on users’ devices will continue to function normally. However, you’ll no longer be able to sign new passes or send updates to existing passes. If your certificate is revoked, your passes will no longer function properly. - iOS Distribution Certificate (App Store)
If your Apple Developer Program membership is valid, your existing apps on the App Store won’t be affected. However, you’ll no longer be able to upload new apps or updates signed with the expired or revoked certificate to the App Store. - iOS Distribution Certificate (in-house, internal-use apps)
Users will no longer be able to run apps that have been signed with this certificate. You must distribute a new version of your app that is signed with a new certificate. - Mac App Distribution Certificate and Mac Installer Distribution Certificate (Mac App Store)
If your Apple Developer Program membership is valid, your existing apps on the Mac App Store won’t be affected. However, you’ll no longer be able to upload new apps or updates signed with the expired or revoked certificate to the Mac App Store. - Developer ID Application Certificate (Mac applications)
If your certificate expires, users can still download, install, and run versions of your Mac applications that were signed with this certificate. However, you’ll need a new certificate to sign updates and new applications. If your certificate is revoked, users will no longer be able to install applications that have been signed with this certificate. If your Mac application utilizes a Developer ID provisioning profile to take advantage of advanced capabilities such as CloudKit and push notifications, you must ensure your Developer ID provisioning profile is valid in order for installed versions of your application to run. Read more. - Developer ID Installer Certificate (Mac applications)
If your certificate expires, users can still install packages that were signed with this certificate as long as the package includes a trusted timestamp. Previously installed apps will continue to run. However, new installations won’t be possible until you have re-signed your installer package with a valid Developer ID Installer certificate. If your certificate is revoked, users will no longer be able to install applications that have been signed with this certificate. - Apple Worldwide Developer Relations Certification Intermediate Certificate
The Apple Worldwide Developer Relations Certificate Authority issues certificates used by developers for signing third-party apps and Safari Extensions, and for using Apple Wallet and Apple Push Notification services.Starting January 28, 2021, the digital certificates you use to sign your software for installation on Apple devices, submit apps to the App Store, and connect to certain Apple services will be issued from the new intermediate Apple Worldwide Developer Relations certificate that expires on February 20, 2030. Read more.
Note: Apple can revoke digital certificates at any time at its sole discretion. For more information, read the Apple Developer Program License Agreement in your developer account.
Compromised certificates
If you suspect that your Pass Type ID certificate or Developer ID certificate and private key have been compromised, and would like to request revocation of the certificate, send an email to product-security@apple.com. You can continue to develop and distribute passes by requesting an additional certificate in your developer account.