Mystified by certificate renewal process

I got an email from Apple, "Your Developer ID Installer Certificate will no longer be valid in 30 days". So I went to my certificates page on developer.apple.com, and I see the attached photo.

Basically, yes, I have a Developer ID Installer Certificate that expires 2023/07/01; but I also have one that expires 2025/12/08, and one that expires 2026/01/09, and one that expires 2026/12/15, and another that expires 2026/12/16! Why do I have all these certificates? I have no idea. There is a "+" button to add a new one; but given that I already seem to have ones that won't expire for several more years, do I need to? There does not seem to be a "-" button, or any way to clear out this cruft.

I then recalled that perhaps I have managed my certificates in Xcode in the past, not on this page (or maybe I have done both, at different times?). So I went to Xcode, and things seem to be rather a mess there too, but in a different way (second image attached).

Here, I seem to have lots of stale certificates that are in gray and say "Not in Keychain" – how do I clear those out? Again there does not seem to be a "-" button. And the newer ones that I saw on developer.apple.com do not seem to be listed here, maybe – it's hard to compare, though, because on developer.apple.com it shows the expiration date but not creation date, whereas in Xcode it shows creation date but not expiration date.

What should I do? Note that I am not a member of multiple different teams, or anything like that; I'm a solo developer. This stuff is really confusing and does not seem to be well-documented anywhere that I have found. Am I just being dense?

Up vote post of bhaller Down vote post of bhaller
1.1k views
Posted by
bhaller
Reply
Add a Comment

Accepted Reply

So, is there a problem, or not?

Not to my mind.

One thing to note here is, historically, the expiry of a Developer ID Installer certificate would cause problems for folks using your installer package. That’s no longer the case [1], but it might explain these enthusiastic warnings.

Should I just let four of them expire, until I'm just left with one?

That’s what I’d do.

Remember that the Developer website limits the number of (non-expired) Developer ID certificates you create, so it’s best to limit yourself to just one and keep the other ‘slots’ in reserve in case something weird happens.

How do I get Xcode to bring itself up to the present?

I don’t have a great answer for that. My advice is that you divide your certificates into two groups:

  • Those that are precious

  • Those that are not

For the precious ones, most notably Developer ID, manage things by hand and keep backups, as discussed in The Care and Feeding of Developer ID.

For the non-precious ones — including Apple Development and Apple Distribution — just sit back, relax, and let Xcode do its thing. If it does something silly, you can always fix that [2].

Should I try to clean it out?

That’s largely a matter of personal preference. Historically I used to be very obsessive about this. Now I reserve such obsessiveness for the precious stuff.

If so, how?

I’m not aware of any documented process for this. If I were doing this I’d approach it as follows:

  1. Understand the difference between a digital identity and a certificate. I go into this in some detail in TN3161 Inside Code Signing: Certificates.

  2. And that multiple digital identities can ‘share’ a private key.

  3. In Keychain Access, identify all the digital identities you want to clean up.

  4. Export each one to its own .p12 file. This makes it possible to undo the next step.

  5. When you’re done, delete those digital identities (both the certificates and the private keys).

  6. Repeat steps 3 through 5 for certificates, except this time you’re exporting a .cer file.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] Despite what it says on Developer > Support > Certificates. I’m working to get that fixed (r. 90418064).

[2] Assuming you have access to the Certificates, Identifiers, and Profiles section of the Developer website.

Folks using a Personal Team need to be a bit more careful due to the limits imposed there. I’m happy to report that we now publish info about the Personal Team limits. See Developer > Support > Choosing a Membership. Finally!

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved
Add a Comment

Replies

(deleted)

Posted by
bhaller
Up vote reply of bhaller Down vote reply of bhaller
Add a Comment

(deleted)

Posted by
bhaller
Up vote reply of bhaller Down vote reply of bhaller
Add a Comment

Oh wow, this took longer than I would’ve liked. Unfortunately, a litle something called WWDC got in the way (-;

You have to manage Developer ID signing identities carefully. I’ve collected together my thoughts on this topic into a new post: The Care and Feeding of Developer ID. Read this through and post back here if you still have questions.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Hi Quinn! It's that time again; I got the email I dread from Apple, "Your Developer ID Application Certificate will no longer be valid in 30 days". And as usual, I can't figure out what to do. Your new post, linked in your last comment, is great, but I remain mystified by the practical aspect of how to get things to work. If I look at my account on developer.apple.com, at the "Certificates" page, there are five "Developer ID Application" entries. I think I only need one; I'm a solo developer with no complexity to my situation whatsoever. I see no way, on that page, to delete the unneeded ones, though. So that's one question.

Another question is: the expiration dates for these are all in 2025 or 2026, except for one, which expires 2024/03/21. I guess Apple is warning me that that one Developer ID Application Certificate is going to expire; but the other four are not going to expire any time soon. So, is there a problem, or not? Should I just let four of them expire, until I'm just left with one? Or will that cause problems for me?

And then the third question is about Xcode. If I open Settings and click Manage Certificates, Xcode shows five Developer ID Application certificates – but none of them are the ones shown at developer.apple.com, and they are all expired. Four of them are dimmed, and say "Not in Keychain". One of them is not dimmed, and has an expiration date of 12/14/21 – the distant past. When I right-click on them, the context menu has a menu item, "Delete Certificate", but that option is dimmed for all five of these expired certificates. How do I get Xcode to bring itself up to the present? I tried downloading a Developer ID Application Certificate from developer.apple.com and dragging into that panel in Xcode, but the drag just bounces back.

And my fourth question is about what I see in Keychain for these certificates, which seems to be a morass of expired/invalid cruft. Should I try to clean it out? If so, how? Or is it OK that it is just gradually filling up with more and more stuff that seems to be broken? Is there a documented procedure for basically starting over from scratch, clearing out all the cruft, and getting a clean working configuration?

These are the sorts of questions that I always have, and I can never find answers to them in any of the info Apple has posted online, including your posts. All the info online seems to be at a pretty conceptual level, and I more or less get the concepts – for a solo developer like me, it's not really that complex conceptually – but getting it to actually work is a whole 'nother matter. I live in fear of these expiration emails from Apple, and I'm terrified that I'll somehow ***** up and won't be able to release software any more. You're the only person at Apple who seems to be willing to communicate about this stuff at all; I've tried the official developer support channels and their responses always basically RTFM, but TFM doesn't answer the questions I have. Help!

Posted by
bhaller
Post not yet marked as solved Up vote reply of bhaller Down vote reply of bhaller
Add a Comment

I don't have a solution, but I wanted to mention another complication: Another place you can see certificates is in the Keychain Access utility. I deleted an expired certificate there, but it still shows up in Xcode, with a status of "Missing private key". And the "Delete Certificate" contextual menu item is still dimmed.

Posted by
JWWalker
Up vote reply of JWWalker Down vote reply of JWWalker
Add a Comment

So, is there a problem, or not?

Not to my mind.

One thing to note here is, historically, the expiry of a Developer ID Installer certificate would cause problems for folks using your installer package. That’s no longer the case [1], but it might explain these enthusiastic warnings.

Should I just let four of them expire, until I'm just left with one?

That’s what I’d do.

Remember that the Developer website limits the number of (non-expired) Developer ID certificates you create, so it’s best to limit yourself to just one and keep the other ‘slots’ in reserve in case something weird happens.

How do I get Xcode to bring itself up to the present?

I don’t have a great answer for that. My advice is that you divide your certificates into two groups:

  • Those that are precious

  • Those that are not

For the precious ones, most notably Developer ID, manage things by hand and keep backups, as discussed in The Care and Feeding of Developer ID.

For the non-precious ones — including Apple Development and Apple Distribution — just sit back, relax, and let Xcode do its thing. If it does something silly, you can always fix that [2].

Should I try to clean it out?

That’s largely a matter of personal preference. Historically I used to be very obsessive about this. Now I reserve such obsessiveness for the precious stuff.

If so, how?

I’m not aware of any documented process for this. If I were doing this I’d approach it as follows:

  1. Understand the difference between a digital identity and a certificate. I go into this in some detail in TN3161 Inside Code Signing: Certificates.

  2. And that multiple digital identities can ‘share’ a private key.

  3. In Keychain Access, identify all the digital identities you want to clean up.

  4. Export each one to its own .p12 file. This makes it possible to undo the next step.

  5. When you’re done, delete those digital identities (both the certificates and the private keys).

  6. Repeat steps 3 through 5 for certificates, except this time you’re exporting a .cer file.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] Despite what it says on Developer > Support > Certificates. I’m working to get that fixed (r. 90418064).

[2] Assuming you have access to the Certificates, Identifiers, and Profiles section of the Developer website.

Folks using a Personal Team need to be a bit more careful due to the limits imposed there. I’m happy to report that we now publish info about the Personal Team limits. See Developer > Support > Choosing a Membership. Finally!

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved
Add a Comment

Hi Quinn! Thanks very much for the reply. It is reassuring to know that I can let the older certificates expire, as long as I have a newer one. That has been the source of considerable confusion – I wasn't sure whether that would cause my existing (released) apps to stop working, so I kept making new certificates, and I guess ended up with way too many. :-O

I'll try cleaning out my Keychain Access stuff some time when I'm feeling particularly brave. :-O

The remaining question I have is: is there any way to ever get Xcode's "Delete Certificate" menu item to be enabled so I can clear cruft out from there? I have literally never seen that menu item undimmed, and I have looked/tried many times. Should I file a new issue on this, do you think? Is this documented somewhere? (I've tried looking for it, to no avail.)

Posted by
bhaller
Up vote reply of bhaller Down vote reply of bhaller
Add a Comment

is there any way to ever get Xcode's "Delete Certificate" menu item to be enabled

I don’t use that UI very much — I stick to Keychain Access and the Developer website — but I had a poke at it just now and, like you, I always see Delete Certificates disabled.

Oh, wait, it turns out we recently updated the docs for this and that seems to cover it pretty well:

You can only delete certificates that you or a team member have revoked in the developer portal.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Post not yet marked as solved Up vote reply of eskimo Down vote reply of eskimo
Add a Comment