Create iOS "In-House and Ad Hoc" certificate option disabled

Asked 21/6, 2013 at 8:27 Answered 1/10, 2021 at 15:47

My client's iOS In-House provisioning profiles are about to expire in 2 weeks. So to renew them, I wanted to create a new In-House certificate. But when clicking "Add" the In-House and Ad Hoc option is disabled. What could be the cause of this?

Add iOS Certificate

I renewed the client's enterprise license yesterday. Could it be that it takes some time before i can create In-House certificates again? (On all my other client's (non enterpriese) accounts it works)

Boscage answered 21/6, 2013 at 8:27 Comment(8)

Did you try revoking the old one first? – Lusatian 21/6, 2013 at 8:28

@Lusatian not yet, i read that it should now be possible to create a second one a couple of weeks before the old one expires so there's one active at all times – Boscage 21/6, 2013 at 8:31

I found an interesting quote from this page -> lshift.net/blog/2013/05/08/… "After discussing the issue with our specialists, I confirmed that there can only be two distribution certificates at one time. In order to create a new one, you would have to revoke one of the existing ones." – Lusatian 21/6, 2013 at 8:31

@Lusatian ah, i do in fact have 2 certificates. One of them expires on July 5th 2013, the other one on Apr 15th 2016. Which is strange because the second one isn't used anywhere and i thought certs can only be valid for 1 year. Furthermore when i view it in keychain it has no private key assigned to it. So i don't know if it's even valid. – Boscage 21/6, 2013 at 8:40

Well if no one has the key to it, then it is useless and you might as well get rid of it. However, be absolutely sure no one has to key to it first or you will piss people off. It's probably valid, but not usable. – Lusatian 21/6, 2013 at 8:42

@Lusatian thanks. do you know how it's even possible to create a certificate which is valid until 2016? maybe i'll try to update one profile with that certificate and see if it works. – Boscage 21/6, 2013 at 8:46

Actually our current client enterprise cert is valid until 2016, so I think they are doing 3 years now. – Lusatian 21/6, 2013 at 9:2

@Lusatian Ok, i found out that apparently the 2016 cert was created for/by another developer who does work for the client. So i can't revoke that but i also can't use it since xcode shows "Valid signing identity not found". I'm a bit confused. Shouldn't there only be 1 active cert? Is there anything else i could do other than revoking my expiring cert and create a new one? Is there any way to make the 2016 cert usable for me? Sorry for the stupid questions and thank you very much for your help so far! If you want post your comment as an answer so i can accept it :) – Boscage 21/6, 2013 at 11:29

I'm an Agent for my company's Enterprise account and your issue is mainly as laid out above: the existence of two Enterprise certs. Where I'm slightly confused is why you have multiple folks working as your Agent. Apple has setup the Enterprise account & portal in such a way that there is to be one company-wide Agent that has complete control over that Enterprise Distribution certificate and it is paired with his/her CSR/private key. If you really want to do this properly you need to get a hold of the actual Agent in charge of the account and get him to export his private key used to sign the CSR & Distribution Cert so you can develop against it. If you're NOT the entity doing the final production builds for Enterprise deployment I would suggest better coordinating your efforts with the Agent as he may have a plan you're not aware of.

Regarding the multiple certificates Apple started doing that over a year ago so that you can smoothly cutover to a new Distribution Cert in your apps without scrambling to update all apps on the previously singular cert simultaneously.

Lastly one point to note is that while the certificate is good for 3 years your provisioning profile will still expire in 12 months time to make sure your client is scheduling their update & maintenance cadence appropriately.

Feel free to shoot me any questions on this. Good luck!

EDIT Enterprise Overview Developer Roles

The Agent role is meant for one person to act as a gatekeeper for that company. It's does create a problem for a large company pumping out multiple in-house apps but the control factor helps maintain a cohesive environment.

Where you're going to start getting into trouble is when your original cert is set to expire and you need to roll them over to the newer cert the other person who has Agent access created. He/she is going to have to either compile your code for you or export their private key out of keychain access so that you can use that newer Enterprise Dist Cert.

What should typically happen is an Agent creates the first cert and all in-house apps are signed to it. That cert may expire in 2016 as an example. The prov profiles will expire every year, though so each app needs to take an update at least every 12 months to refresh itself with a new prov profile. Fast fwd to the end of 2015 and you're staring down an expiring cert. You'd create the replacement cert, update the provisioning profiles for each active app with the new cert (expires in say 2019), then update each app with the new prov profile attached to the new cert before the 2016 cert goes stale.

Make sense?

Impeccant answered 22/6, 2013 at 13:11 Comment(5)

Thank you! Well, our company is the agent of the enterprise account. Then a few months back another developer made an app for the client and apparently (he or my coworker then) created another certificate to compile his app for in-house distribution. So i guess he should have used our existing certificate instead of creating a second one, right? So obviously none of use are really experts in this matter, is there any documentation of the course of action to allow another dev to develop using the main in-house cert? – Boscage 26/6, 2013 at 8:36

Thanks, it's getting clearer! So the best thing to do would be to export the private key of our development cert and give it to the other developer who then uses this cert + key to build his (one) app. And revoke every other cert. Is that right? I ended up revoking our cert and then creating a new one and rebuilding all of our apps anyway. – Boscage 27/6, 2013 at 15:32

no, no... do NOT revoke the other cert out of the gate. If you revoke an Enterprise cert it will kill every app developed under it from running. Only revoke it AFTER you guys update all in-house apps with the newer cert and your clients install it. THEN you can safely revoke the original cert. Make sense? – Impeccant 27/6, 2013 at 17:54

@Impeccant I realize this is an old post but I am running into a similar issue today. One of our enterprise In-House and Ad Hoc certs is being used for MDM and the other is being used for enterprise apps being pushed to many users. The app cert is about to expire... if I revoke it does it stop the apps from running or from being distributed? I am OK now distributing the app to more users but NOT ok if the app stops working. Would appreciate your thoughts. TY – Dulcine 8/2, 2018 at 3:42

@Dulcine If you revoke that Distribution Certificate in the Developer Portal ALL apps in the field that have access to Apple's back-end (ie: internet access) will stop working within 24 hours. By "stop working" I mean the apps will attempt to launch, then appear to crash back to the spring board. Similarly you will not be able to compile code in XCode and re-sign that app with that Distribution Certificate as well. To mitigate you will have to create a new Distribution Cert (you can have two) then re-sign and re-deploy all of your apps again. Good luck! – Impeccant 9/2, 2018 at 20:32

I’ve a question I just opened my business, trying to get certified container homes in the USA (Florida), do I need an Engeniere or just an architect ?

Holocaust answered 1/10, 2021 at 15:47 Comment(0)

Recommended topics

Hot tags