How to recover a lost enterprise distribution certificate or its private key

book

Article ID: 178350

calendar_today

Updated On:

Products

Mobile Management

Issue/Introduction

 

Resolution

*Note* - Code signing new enterprise apps or enterprise app updates for distribution will not work until both are restored.

*Note* - The enterprise distribution certificate can be downloaded from the 'Member Center' located here. However, its associated private key only exists on the Mac and OS X user account keychain from which the distribution certificate was either originally created or to which it had been transferred.

*Note* - Revoking an enterprise distribution certificate invalidates all apps that were signed and deployed with that certificate.

*Note* - A second distribution certificate can be created half way through the validity period of the first distribution certificate. The two distribution certificates maintain oscillating validity which allows for the deployment of a new version of the app signed with the alternate certificate sometime before expiration of the other.

*Note* - Once a working distribution code signing configuration has been restored, a backup should be created to more easily recover from this situation in the future. This can be backed up by following the process laid out in 'App Distribution Guide > Maintaining Your Signing Identities and Certificates > Exporting and Importing Certificates and Profiles' which is located here.

Option 1:

Transfer the certificate from the OS X user account in which the certificate was originally created. This can be performed by using the steps list in Apple's 'App Distribution Guide > Maintaining Your Signing Identities and Certificates > Exporting and Importing Certificates and Profiles' located here. Doing this re-enables distribution code signing without disturbing any currently deployed enterprise apps.

Option 2:

If the certificate for transferring cannot be located, a new one will need to be created. There are two options for creating new enterprise distribution certificates. They are as follows:

  1. If Member Center allows for the second of two certificates to be created, then this should be done. In order to do this the plus “+” button will need to be clicked in the upper-right corner in 'Member Center > Certificates, Identifiers, & Profiles > Certificates > Production'. Once this is done, a new enterprise distribution profile associated to the newly created certificate will need to be created. A new version of any apps in question will need to be signed and distributed for it to be successfully deployed. Performing these actions reenables the distribution code signing without disturbing any currently deployed enterprise apps.

  2. If Member Center does not allow the creation of a second distribution certificate then the distribution certificate with a missing private key must be revoked and re-created. The steps listed in 'App Distribution Guide > Maintaining Your Signing Identities and Certificates > Re-Creating Certificates and Updating Related Provisioning Profiles' located here will need to be followed for this solution. Performing these actions will invalidate all currently deployed apps and requires them to be re-signed/re-distributed once the new working distribution code signing configuration is created.

 

Additional Information

DESCRIPTION :

The following answers brought forth in this article were derived from the following source:

https://developer.apple.com/library/ios/qa/qa1868/_index.html