iOS Certificate and private key

From: https://developer.apple.com/ios/manage/certificates/team/howto.action

Obtaining your iOS Development Certificate

In the ‘Certificates’ section of the iOS Provisioning Portal, you can request individual iOS Development Certificates. All iOS applications must be signed by a valid certificate before they can be run on an Apple device. In order to sign applications for testing purposes, Team Members need an iOS Development Certificate.

A digital identity is an electronic means of identification consisting of a secret "private key" and a shared "public key". This private key allows Xcode to sign your iOS application binary.

The digital certificates you request and download are electronic documents that associate your digital identity with other information, including your name, email address, or business. An iOS Development Certificate is restricted to application development only and is valid for a limited amount of time. The Apple Certification Authority can also invalidate ("revoke") a certificate before it expires.

Generating a Certificate Signing Request

To request an iOS Development Certificate, you first need to generate a Certificate Signing Request (CSR) utilizing the Keychain Access application in Mac OS X Leopard. The creation of a CSR will prompt Keychain Access to simultaneously generate your public and private key pair establishing your iOS Developer identity. Your private key is stored in the login Keychain by default and can be viewed in the Keychain Access application under the ‘Keys’ category. To generate a CSR:

1. In your Applications folder, open the Utilities folder and launch Keychain Access.
2. In the Preferences menu, set Online Certificate Status Protocol (OSCP) and Certificate Revocation List (CRL) to “Off”.
   
   
3. Choose Keychain Access -> Certificate Assistant -> Request a Certificate from a Certificate Authority. Note: If you have a noncompliant private key highlighted in the Keychain during this process, the resulting Certificate Request will not be accepted by the Provisioning Portal. Confirm that you are selecting “Request a Certificate From a Certificate Authority...” and not selecting “Request a Certificate From a Certificate Authority with <Private Key>…”
   
   
   
   
4. In the User Email Address field, enter your email address. Please ensure that the email address entered matches the information that was submitted when you registered as an iOS Developer.
5. In the Common Name field enter your name. Please ensure that the name entered matches the information that was submitted when you registered as an iOS Developer.
6. No CA (Certificate Authority) Email Address is required. The ‘Required’ message will be removed after completing the following step.
7. Select the ‘Saved to Disk’ radio button and if prompted, select ‘Let me specify key pair information’ and click ‘Continue’.
   
   
   
8. If ‘Let me specify key pair’ was selected, specify a file name and click ‘Save’. In the following screen select ‘2048 bits’ for the Key Size and ‘RSA’ for the Algorithm. Click ‘Continue’.
   
   
   
9. The Certificate Assistant will create a CSR file on your desktop.

Submitting a Certificate Signing Request for Approval

1. After creating a CSR, log in to the iOS Provisioning Portal and navigate to ‘Certificates’ > ‘Development’ and click ‘Add Certificate’.
2. Click the ‘Choose file’ button, select your CSR and click ‘Submit’. If the Key Size was not set to 2048 bits during the CSR creation process, the Portal will reject the CSR.
3. Upon submission, Team Admins will be notified via email of the certificate request.
4. Once your CSR is approved or rejected by a Team Admin, you will be notified via email of the change in your certificate status.
   
   
   

Approving Certificate Signing Requests

Team Agents and Team Admins have the authority and responsibility to approve or reject all iOS Development Certificate requests. In order to approve/reject Team Members’ requests, all Team Admins should first submit their own CSR for approval.

1. After submitting a CSR for approval, Team Admins will be directed to the ‘Development’ tab of the ‘Certificates’ section. Here, CSRs can be approved or rejected by clicking the corresponding action next to each request.
2. Once a CSR is approved or rejected, the requesting Team Member is notified via email of the change in their certificate status. Each iOS Development Certificate is available to both the Team Member who submitted the CSR for approval and to the Team Admin(s).
   
   
   

Downloading and Installing Development Certificates

1. In the ‘Certificates’ > ’Distribution’ section of the Portal, control-click the WWDR Intermediate Certificate link and select “Saved Linked File to Downloads” to initiate download of the certificate.
2. On your local machine, double-click the WWDR Intermediate certificate to launch Keychain Access and install.
3. Upon CSR approval, Team Members and Team Admins can download their certificates via the ‘Certificates’ section of the Provisioning Portal. Click ‘Download’ next to the certificate name to download your iOS Development Certificate to your local machine.
4. On your local machine, double-click the downloaded .cer file to launch Keychain Access and install your certificate.
5. Team Members can only download their own iOS Development Certificates. Team Admins have the authority to download the public certificates of all of their Team Members. Apple never receives the private key for a CSR. The private keys are not available to anyone except the original key pair creator and are stored in the system keychain of that Team Member.
   
   

Saving your Private Key and Transferring to other Systems

It is critical that you save your private key somewhere safe in the event that you need to develop on multiple computers or decide to reinstall your system OS. Without your private key, you will be unable to sign binaries in Xcode and test your application on any Apple device . When a CSR is generated, the Keychain Access application creates a private key on your login keychain. This private key is tied to your user account and cannot be reproduced if lost due to an OS reinstall. If you plan to do development and testing on multiple systems, you will need to import your private key onto all of the systems you’ll be doing work on.

1. To export your private key and certificate for safe-keeping and for enabling development on multiple systems, open up the Keychain Access Application and select the ‘Keys’ category.
2. Control-Click on the private key associated with your iOS Development Certificate and click ‘Export Items’ in the menu. The private key is identified by the iOS Developer: <First Name> <Last Name> public certificate that is paired with it.
3. Save your key in the Personal Information Exchange (.p12) file format.
4. You will be prompted to create a password which is used when you attempt to import this key on another computer.
5. You can now transfer this .p12 file between systems. Double-click on the .p12 to install it on a system. You will be prompted for the password you entered in Step 4.