Enterprise Certificate renewal

Hi,

I have explored few blogs to understand below queries, unfortunately links to apple documentation are broken and redirects to Xcode helper page. Got some understanding of these queries but really would like to get suggestions from the forum.


Thanks for your help in advance!!


1. Enterprise certificate is believed to expire once in 3 years - I believe still remains the same?

2. What happens to existing running applications when an enterprise certificate is revoked - Applications stop working?

3. How to renew the certificate without affecting current running applications?

4. Whats the maximum number of certificate allowed for Enterprise distribution program?

5. Documentation explains only 2 certificates are allowed per enterprise distribution program, in our case we already have 2 certificates created and utilised for different applications. What will be the alternative solution to renew the certificate without impacting running applications?

Replies

1: Yes, still 3 years.

2: Correct, those applications will stop working.

3 through 5: Certificates can't be renewed. You can have a maximum of two production certificates. One production certificate can be used to generate an unlimited number of distribution profiles. After one production certificate expires, you can create another one.


I think you will need to:

A. Change (and generate) all your distribution profiles that use the production certificate with the earlier expiration date to use the production certificate with the later expiration date.

B. If you are using an MDM system, some of them can simply push the updated distribution profiles to devices. If not, you will need to recompile/archive the apps that use the changed distribution profiles and distribute/install the updated apps.

C. After the production certificate with the earlier expiration date expires (or you revoke it), create another one.

D. As the distribution profiles near expiration (they are only good for one year), regenerate them using the newer production certificate and deploy the profiles / apps as mentioned in B.

Then repeat C and D going forward. If you follow this pattern, each time the oldest certificate expires, there shouldn't be any distribution profiles using it.


EDIT: corrected "distribution certificate" to "production certificate" in last sentence of the "3 through 5" answer.