If you’ve ever attempted to create a mobile app for iOS, you have been through the hellish world of iOS certificates and provisioning profiles.
To submit an app to the app store, you are required to get a developer account, generate a certificate, export that certificate into a .p12 file with a private key, create an app ID, create a provisioning profile, then build the app with your .p12 and provisioning profile.
To make matters worse, you need to do this process in a different way for developing your app, using push notifications, or publishing your app to the app stores.
There are a million ways to screw this up, I know because I’ve done it wrong many times. You reach a point where you know you did everything right and it’s still not working.
This guide is to help those who have been beaten down by the iOS certification process, and have lost all hope. Fear not! We’ll get you back on track to meet that deadline, let’s dive in.
Requirements
Before we get started, you’ll need to make sure you have:
- An Apple computer
- An approved iOS developer account
The Easy Way and the Hard Way
It’s important to note that there are 2 different ways to get your certificates, the easy way, and the hard way. If you are building your app with Xcode, you can manage your certificates automatically using the easy way. It’s a much faster process, but it doesn’t always work for hybrid apps. For example, it won’t work with Phonegap Build.
We’ll be discussing the hard way in this article. To learn the easy way, check out this article or Apple’s documentation.
A Visual Guide
Let’s look at this process from a bird’s eye view before getting into details.
After you sign up as an iOS developer and login to your account, the process looks like this.
Every app needs an ID, a certificate, and a provisioning profile to work on a device or go on the app stores.
- Create app ID
- Request certificate, and download it
- Export certificate with key into .p12 file
- Create provisioning profile (use app ID and certificate from steps above)
- Build app with .p12 and provisioning profile
(Push notifications require one extra certificate, we’ll get to that later)
Let’s clear up some terminology, then look at the step by step process to make this happen.
Development/Production
First you have to choose whether you are making development or production certificates and profiles.
The certificates you make for development and production (app store submission) are different. (It’s the same process, you just check different boxes.)
A development certificate is required to test your app on a device before submitting it to the app stores. It is only good for testing, you cannot use it to submit to the app stores. (You can’t use production certificates for testing, in case you were wondering)
How I use development vs. production certificates
I create one development certificate and provisioning profile with a wildcard app ID, and use that for all of my apps. I only have to do this once. When apps are ready to submit, I create production certificates specifically for each app, using unique app IDs.
Now that we cleared that up (hopefully), let’s start creating the actual certs. We’ll create one wildcard development certificate that can be reused, and then a production certificate with and without push notifications.
Adding Devices
You’ll want to add your iOS testing devices before going through this process. Login to your account, go to Devices, and add each UDID.
To find your device UDID, connect your device to your computer using a USB cable. Open iTunes, then click on your device icon in the toolbar. Under Summary, click on the device serial number, and it will change to UDID. Copy the UDID and paste it for device registration.
Note: It’s important to add all of your devices first, because you’ll use them for your provisioning profile. To add devices after you’ve made your provisioning profile means you have to re-generate it and rebuild your app, which is a pain. Add as many devices as possible up front.
The Development Certificate
The first thing we’ll do is create a development certificate and provisioning profile with a wildcard app ID that can be used for all apps you develop. These can be reused, so you only have to do this once.
Wildcard App ID
A wildcard app ID means you can use it with multiple apps. It works great for development, so you don’t have to create dev certificates and profiles every time you make a new app.
Note: push notifications don’t work with with wildcard app IDs. If you need to test push notifications, you need an explicit app ID (no *).
In your developer account, click on Identifiers->App IDs. Click the plus button at the top right to add a new app ID.
Give your app ID a description, then under App ID Suffix choose Wildcard. Enter only a star: *
Ignore the other parts, save it and confirm.
The Certificate
It’s time to create the development certificate.
Go to Certificates, click on Development, then click the plus button at the top right to create a new certificate. Choose iOS app development, then continue.
You’ll be asked for a Certificate Signing Request. The instructions Apple provides are pretty straighforward:
In the Applications folder on your Mac, open the Utilities folder and launch Keychain Access.
Within the Keychain Access drop down menu, select Keychain Access > Certificate Assistant > Request a Certificate from a Certificate Authority.
In the Certificate Information window, enter the following information:
-In the User Email Address field, enter your email address.
-In the Common Name field, create a name for your private key (e.g., John Doe Dev Key).
-The CA Email Address field should be left empty.
-In the “Request is” group, select the “Saved to disk” option.
Click Continue within Keychain Access to complete the CSR generating process.
Upload your CSR and generate your certificate, then download it to your computer.
Convert to .p12 file
Next you’ll need to export this certificate as a .p12 file. To do that, double-click on the certificate you just downloaded.
That will open it up in keychain. (If you are having trouble finding it, you can click on “My Certificates” at the left, then search for your name)
Click the arrow to reveal your private key. (If there is no arrow, then something went wrong. You either aren’t an authorized developer on the account, or you didn’t generate the right type of certificate)
With both items selected, right-click (or option click) and select “Export 2 items.” 
You will be prompted to save the file, make sure you name it something like dev-yourcertname-certexpirationdate.p12. (This will help later on when you have a lot of certs.) You also need to give it a password, make sure you keep a record of this password so you can find it later.
That’s it, you now have your development .p12, which you can use to build your app for testing. The last item we need is a provisioning profile.
The Provisioning Profile
To create your development provisioning profile, click on Development under Provisioning Profiles in the left sidebar of your iOS developer account.
- Click the plus button at the top right to add a new profile, and choose iOS app development.
- You will be prompted to choose an App ID, make sure to select the wildcard app ID we created in the last step.
- Next, you need to choose a certificate, make sure it’s the same certificate we created above.
- Select the devices you want to be able to install your apps. (I usually have all my devices and my team’s, so I select all of them.)
- Give your profile a name, make sure to call it ‘Wildcard Dev Scott’, or something that tells you exactly what it is at a glance. This will help a lot when you start making other profiles.
- Generate the profile and download it, and you’re ready to go.
You can now use this provisioning profile along with the .p12 file you created to build your app on Phonegap Build, or other platforms.
Troubleshooting Tips
Here are some things to keep in mind if you’re having trouble.
- Make sure you’ve already created your app ID, certificate, and added devices before creating the provisioning profile.
- The certificate you choose with the provisioning profile must be the same one as the .p12 you are using.
- Don’t mix up development and production profiles/certs. They have to both be the same, either both dev or both production.
The development certificate and profile you just created can be re-used for testing all of your apps. To submit to the app stores (or test push notifications) you will need to create a production certificate with an explicit app ID.
Let’s look at how to do that.
The Production Certificate
If you’ve already created your development certificate, the production one is easy. It’s the same exact process, but we just tweak a couple of things.
- We use an explicit app ID, not a wildcard (com.mything.app)
- We choose “Production” for our certificate, not development
- We choose “Distribution” for our provisioning profile, not development
Everything else is the same, including creating the .p12 and provisioning profile.
Production App ID
Go to Identifiers->App IDs, and create a new one by clicking the plus button.
This time, choose Explicit App ID, and make up a reverse domain name like com.mycompany.myapp. It’s not important what it is, but it’s a good idea to use a naming convention like I did.
Ignore the other options and save.
Production Certificate
This is the same exact process as creating a development certificate, except you choose “App Store and Ad Hoc” instead of Development.
You can use the same Certificate Signing Request you created before, generate and download the certificate. Convert it to a .p12 the same way as before.
That’s it for your certificate, now we just need an App Store provisioning profile.
Distribution Provisioning Profile
Under Provisioning Profiles, click Distribution, then click the plus button to add a new one.
This process is exactly the same as before, except we choose App Store.
When going through the profile options:
- Choose the explicit app ID you created above.
- Then choose the production certificate you created in the last step.
- Generate your profile and download, that’s it! Make sure to give it a good name like ‘Appname App Store Certname’
You now have your production .p12 and distribution provisioning profile, you can build your app with those 2 things and it’s ready to submit to the app store!
There’s one last thing we need to deal with, and that’s an app with push notifications.
Push Notifications
An app built with push notifications has a couple extra requirements. You still need a production .p12 and provisioning profile like we did above, but you also need an extra SSL certificate.
Here are the steps we are going to take:
- Do everything under Production Certificate above
- Create push notifications SSL certificate
Assuming you’ve already done the steps under Production Certificate above for your app, let’s create the SSL certificate.
Push Notifications SSL Certificate
Push notifications require a server that sends a notification to Apple’s servers, then Apple sends that notification out to the app. That means you need to use your own server for this, or use a 3rd party service.
I won’t go into how to set that all up, we are just going over how to create the certs. You can read this article if you are curious about setting up your own push server.
The SSL certificate is installed on the server that is sending pushes to Apple, which then go to your app. Let’s create this certificate now.
First, go to your App IDs, and click on your app’s ID, then click the Edit button.
Scroll down to the box that says Push Notifications. Check the box beside it.
Next, under Production SSL Certificate, click Create Certificate. (Some services allow you to use a development certificate for testing push, but for a live app you need to use production)
You will be prompted for a Certificate Signing Request, use the same one you created before, then generate the certificate. Download it, and you’re done!
This certificate is used on the server you send push notifications from, it is not used to build the app.
Some services need this certificate, and some require you to create a .p12 file out of it. Follow the directions at your push notifications provider.
Testing Push Notifications
Testing push can be tricky.
First, you must be on a real device, not in an emulator. Second, you always have to use an explicit app ID, not a wildcard app ID.
If you are using Phonegap Build, you must use an explicit app ID, production certificate, and ad hoc provisioning profile to test push. You cannot use a development certificate to test.
Some push notifications providers have a sandbox mode that you can use to test, follow their provided instructions if that is the case.
Common Problems
Creating these certificates can go wrong very quickly.
If something isn’t working right, the only thing you can really do is delete everything and start over. Hopefully you won’t have to do that, here are some tips to keep you out of trouble.
- Don’t mix someone else’s certs or profiles with your own. Make everything on your machine at the same time.
- All certs and profiles have to match up, all development or all production/distribution, and all for the same app ID.
- Make sure you are a registered developer on the account, it won’t work if you’re not.
- Use the same certificate signing request for all certs
- Keep everything organized on your machine in folders, with good names
- Keep track of your .p12 passwords, you’ll need them later
- Certs only last for one year. Your apps won’t stop working when they expire, but you’ll need to create new ones if you want to make new apps or resubmit.
Hopefully that helps you submit your app to Apple without too many forehead bleeds from banging your head against your desk.
If I missed anything or you have tips, leave them in the comments.