How to manage Enterprise Distribution certificate expiration?
Asked Answered
H

5

66

Our customer has just joined the iOS Developer Enterprise Program. They have signed the app (developed by us) with their Enterprise Distribution and installed it succesfully in some devices via MDM.

As far as I know when my non-enterprise distribution certificate expires I have to renew it. This expiration disables all apps signed with the expired certificate as soon as the devices checks the certificate's validity against Apple’s OCSP server.

Alternatively, I can revoke my non-enterprise distribution before the expiration date and ask for a new one to Apple. Applications signed with the revoked certificate, for example Ad Hoc beta apps, will be disabled according to the same mechanism.

So with my developer program I can't have two valid distribution certificates at the same time. Ok, as developers we can live with that.

Can our customer have two valid Enterprise Distribution certificates at the same time with the iOS Developer Enterprise Program?

According to Apple:

Certificate Validation

The first time an application is opened on a device, the distribution certificate is validated by contacting Apple’s OCSP server. Unless the certificate has been revoked, the app is allowed to run. Inability to contact or get a response from the OCSP server is not interpreted as a revocation. To verify the status, the device must be able to reach ocsp.apple.com. See“Network Configuration Requirements”(page 9).

The OCSP response is cached on the device for the period of time specified by the OCSP server—currently between 3 and 7 days. The validity of the certificate will not be checked again until the device has restarted and the cached response has expired. If a revocation is received at that time, the app will be prevented from running. Revoking a distribution certificate will invalidate all of the applications you have distributed.

An app will not run if the distribution certificate has expired. Currently, distribution certificates are valid for one year. A few weeks before your certificate expires, request a new distribution certificate from the iOS DevCenter, use it to create new distribution provisioning profiles, and then recompile and distribute the updated apps to your users. See “Providing Updated Apps” (page 10)

Am I missing something or is is possible that the employees, with potentially hundreds of iOS devices with several In House apps, can't open their applications while they wait for the resigned apps?

Hatching answered 9/2, 2012 at 18:20 Comment(4)
Can you provide a link for that quote?Gigahertz
Unfortunately I can't. I read it months ago and it seems that Apple removed this content but you can find it here: http://es.scribd.com/doc/72810321/FA-Wireless-Enterprise-App-DistributionHatching
possible duplicate of iphone app: how to renew an expired distribution certificate through the iOS provisioning portalWorktable
Anyone looking for the above quote: apple.com/hk/en/ipad/business/docs/…Christinchristina
R
95

This is an issue that we have been dealing since the last 2 years. The in-house applications do stop working after 1 year. It is a massive exercise for an organization like ours to rebuild hundreds of apps and redeploy it on thousands of devices every year.

For us it is a month long exercise where we rebuild all our apps and inform all users to get new ones through the distribution channel. Still every year some users are left with non-functional apps.

I have filed an enhancement request with Apple(Bug ID#9848075) for this and am still waiting for a reply.

EDIT: The above mentioned bug is closed now. Here's the official response:

Distribution certs for enterprise are now 3 years in duration.

Rustin answered 10/2, 2012 at 10:25 Comment(10)
Hi Vin, my client have told me that they can they have two valid certificates. Therefore I think the resign process of all IPA can be pretty fast using scripts and as you dont need to wait to the expiration date... I guess everything can be ready for that day and all employees can receive the resigned apps by a MDM tool.Hatching
Enterprise certificates now last for 3 years. The provisioning profile however expires after 1 year. This means to keep an app running you just need to push out a new provisioning profile for applicable app IDs. This may just be your wildcard (*) profile. You can use an MDM system to push these profiles out automatically.Artieartifact
hi Vin, why aren't you using an MDM to install the new versions to all devices?Soledadsolely
I doubt the app needs to be rebuilt, only re-signed. I have a provisioning profile that will need to be re-signed soon, so I'm going to try just re-sign the existing app archives before I go back and try to rebuild them all.Stanzel
@RichardVenable re-signing the apps would do but you'd still have to get this new app to users' devicesRustin
So what happens if my certificate hasn't expired, but my provisioning profile has. Would that stop users from running the app?Politics
yes, me too wondering how it will be like if my provisioning profile is expired but not my certificate. Current, I have apps that profile is expired and I am still able to run the app. It would be nice if apple have clear explanation for provisioning profile like CertificatesQuell
I wondered what is the difference between AppStore apps that they do not face this problem? Why we only see them in enterprise or Ad-Hod appsDvina
@JonasStawski, My distribution certificates are up and running. But the provisioning profile is going to expire, I edited the profile and now, that provisioning profile is just fine. Will the app having previous profile stop working? Do I need to update app, code sign with this provisioning profile and ask users to update the app?Mustache
@ JonasStawski @ MinSoe Even if your certificate is valid, your app will stop working as soon as your provisioning profile expires. That's my experience - the app will stop launching on users' devices. (You might have figured it out already - I'm mainly posting for visibility so other people who stumble across this thread know what to expect.)Monniemono
L
11

The "missing" link is now http://help.apple.com/iosdeployment-apps/?lang=en#app43ad74a3

A few weeks before your certificate expires, request a new distribution certificate from the iOS Dev Center, use it to create new distribution provisioning profiles, and then recompile and distribute the updated apps to your users.

The document describes also how to update Apps. There are frameworks that include the update mechanism easily into your app. Eg "Hockey", https://github.com/therealkerni/HockeyKit

Quoting the full article:

Certificate validation

The first time a user opens an app, the distribution certificate is validated by contacting Apple’s OCSP server. Unless the certificate has been revoked, the app is allowed to run. Inability to contact or get a response from the OCSP server isn’t interpreted as a revocation. To verify the status, the device must be able to reach ocsp.apple.com. See Network configuration requirements.

The OCSP response is cached on the device for the period of time specified by the OCSP server—currently, between 3 and 7 days. The validity of the certificate isn’t checked again until the device has restarted and the cached response has expired. If a revocation is received at that time, the app is prevented from running. Revoking a distribution certificate invalidates all of the apps you’ve distributed.

An app won’t run if the distribution certificate has expired. Currently, distribution certificates are valid for one year. A few weeks before your certificate expires, request a new distribution certificate from the iOS Dev Center, use it to create new distribution provisioning profiles, and then recompile and distribute the updated apps to your users. See Providing updated apps.

Lakitalaks answered 21/2, 2012 at 22:34 Comment(0)
A
5

Note: The hierarchical text below indicates the path to the information that explains the solution. You must navigate to (expand the arrows next to) the items in the sidebar to see the solution (Mani, please don't delete this info - it's there to direct the viewer to the solution.)

Current documentation from Apple:

Distributing Enterprise Apps for iOS Devices
    In-house apps
      Certificate validation
      Providing updated apps

http://developer.apple.com/library/ios/#featuredarticles/FA_Wireless_Enterprise_App_Distribution/Introduction/Introduction.html

From Providing updated apps:

You can have two distribution certificates active at the same time; each is independent from the other. The second certificate is intended to provide an overlapping period during which you can update your apps before the first certificate expires. When requesting your second distribution certificate from the iOS Dev Center, be sure you don’t revoke your first certificate.

That there is not a seamless way to do this so that all our internal customers don't need to see this is rather terrible lack of functionality.

Aragonite answered 14/11, 2012 at 20:10 Comment(1)
Link is broken :(Multicolor
D
4

Apple revised the documentation...

An app won’t run if its distribution certificate has expired. Currently, distribution certificates are valid for one year, and you can have two certificates active at the same time. The second certificate is intended to provide an overlapping period during which you can update your apps before the first certificate expires.

For example, six months before your distribution certificate expires, create a new certificate and use it to update your apps for the next year. To do this, you request a new distribution certificate from the iOS Dev Center (do not revoke your first certificate), use it to create new distribution provisioning profiles for each of your apps, and then you recompile and distribute the updated apps to your users. See Providing updated apps.

Detonator answered 11/7, 2012 at 16:58 Comment(0)
B
-1

Just a small follow up.

Original:

"As far as I know when my non-enterprise distribution certificate expires I have to renew it. This expiration disables all apps signed with the expired certificate as soon as the devices checks the certificate's validity against Apple’s OCSP server."

This is not quite true, if I understand it correct. This info from Apple and as explained here says the opposite.

What happens if my certificate expires or has been revoked?

...

iOS Distribution Certificate (App Store)

  • If your iOS Developer Program membership is valid, your existing apps on the App Store will not be affected. However, you will no longer be able to submit new apps or updates to the App Store.
Broeder answered 19/9, 2013 at 21:52 Comment(3)
Hi Kost, you are right for App Store. The thing is that I expressed myself badly, I was talking about Ad Hoc distribution where Apple do not resign your app. (or do anything)Hatching
Important to note that the rules are different for Enterprise and non Enterprise apps.Aragonite
The question is related to Apple Developer Enterprise program, and not Apple developer program. Your answer is correct for Apple Developer program which is out of context for this question.Chlorite

© 2022 - 2024 — McMap. All rights reserved.