3 Replies
      Latest reply on Apr 16, 2018 7:31 AM by guywithmazda
      edxsturt Level 1 Level 1 (0 points)



        We have 2 prod certificates - A to expire in 08/2018 and B to expire in 2021.  We have 2 provisioning profiles - C to expire in 04/2018 and D to expire in 08/2018.


        I understand that a profile is linked to a certificate.  I don't have the admin rights to generate a profile or to create a new cert for my company.  However, I'm responsible for doing the build for enterprise distribution using Xcode 8.3.3.


        Should I ask that profile D be linked to cert B and be regenerated so it will expire in 2019?


        I should download cert B and install in my keychain.  If I were to use automatic signing, this will revoke cert A in my keychain?  Xcode will pair cert B with profile D?


        Revoking a cert in my keychain does not affect the enterprise app already in the field?  But revoking a cert in developer.apple.com will affect the app in the field?


        We would like to do a new build using a cert and a profile that do not expire this year.


        Thank you.

        • Re: Creating a second prod certificate
          KMT Level 9 Level 9 (15,395 points)

          One certificate can sign any number of provisioning profiles which are what you need to run the app on devices.

          • Distribution Certificate: Program wide
          • Provisioning Profile: Per app


          You may have two active certificates at any given time. Normally you will only use one at a time and then transition to the second certificate before the first one expires.


          Before I attempt to answer your questions...


          How many apps do you have?


          Which cert was used to generate profile D?

            • Re: Creating a second prod certificate
              edxsturt Level 1 Level 1 (0 points)

              We only have 1 enterprise app.  We have regenerated a provisioning profile to use a later distrib cert (expire in 2021), profile will expire next year.


              I am unfamiliar with Revoke of cert on the developer.apple.com site.  If one were to accidentally hit it, is there a prompt to ensure you know what you are doing?


              And if you proceed, does it impact apps in the field that ref that revoked cert?  Does the app when it has an internet connection check against this cert on the developer.apple.com site?


              Likewise, if one uses automatic signing (which I don't for finer control) and it says Revoke an existing cert on the build machine - is it only limited to the build machine or does it revoke on the developer site, too?



                • Re: Creating a second prod certificate
                  guywithmazda Level 4 Level 4 (865 points)

                  Revoking an Enterprise Developer distribution certificate will cause all installed apps that have a distribution provisioning profile that used it to stop functioning.  You are correct that the app must occasionally check with Apple's server to see if the certificate and profile are still valid (which is why Enterprise apps don't work well on devices without regular internet access).  Apple doesn't say exactly how often that check is done.


                  If Xcode revokes a certificate, it will be revoked on the developer site.


                  I'm not sure what automatic signing does if you have 2 distribution certificates installed in your keychain.  I haven't used it because I want to make sure I know what is being used to sign things.  When I export an archive for Enterprise Distribution, I choose to manual signing and make sure I choose the correct certificate and profile.