IOS Certificate Detailed

Source: Internet
Author: User
Tags decrypt pkcs12


About developing certificate configurations (Certificates & Identifiers &


Profiles), I believe that the students do iOS development is not less than toss. For an iOS to develop small white, dabbler (like myself) or veterans, more or less there will be or have been the following unknown, doubts, doubts and even confusion:

What is an app ID? What is the difference between the Explicit/wildcard App ID? What is the app Group ID?

What is a certificate (Certificate)? How to apply? What's the use?

What is a key Pair (public/private)? What's the use? What is associated with a certificate?

What is signature (Signature)? How do I sign (CodeSign)? How to check (Verify)?

What is (Team) Provisioning Profiles? What's the use?

How can Xcode be configured to use iOS real-life for development debugging?

How do multiple machines share a developer account or certificate?

What if I encounter a certificate configuration problem?

This article will make a systematic carding skewers around the related concepts.

Write in front

1. Assume that you have used an Apple device (Imac/ipad/iphone) and have registered an Apple ID (Apple account ).

2. Assume that you or your development team are already enrolled in the Apple Developer program (Enroll in IOS Developer programs to become Amember), which is the registered developer account (Apple Developer accounts).

Only with a developer account can you apply for development/release of certificates and related configuration authorization files to develop and debug apps or publish to the app Store on iOS real computer.

The developer account is divided into two types of individual and company/organization. In the absence of a special account, the following $99/year-based general personal Developer (individual) account is launched.

3. For a real-machine debugging practice, you must have at least one Mac OS X/xcode (IMAC or MacBook) with native keychain Access on it.

First. App ID (bundle identifier)

The app ID is the product ID used to identify one or a group of apps.

The APP ID should be consistent (EXPLICIT) or match (Wildcard) with the bundle identifier in Xcode.

The APP ID string is typically prefixed with company Identifier (Prefix/seed) in the anti-domain name (reverse-domain-name) format, which generally does not exceed 255 ASCII characters.

The full APP ID will be appended application Identifier Prefix (typically teamid.), divided into two categories:

Explicit App ID: A unique app ID that uniquely identifies an application. For example, the app id "", which identifies the app with bundle identifier as "".

Wildcard App ID: an app ID with a wildcard that identifies a group of applications. For example "*" (actually application

Identifier Prefix) represents all applications, while "*" can represent bundles

identifier to "" Start (apple) for all applications.

Users can register (register) or delete (delete) Registered app IDs on the developer Membercenter website.

The APP ID is configured to "xcodetarget| info| Bundle Identifier "under; for wildcard App ID, as long as bundle Identifier contains it as prefix/seed.

Second . Equipment ( Device)

Device is the one that runs the iOS system for developing debugging apps. Each Apple device uses UDID to uniquely identify it.

After your iOS device is connected to your Mac, you can get the iphone's Udid (identifier) via Itunes->summary or xcode->window->devices.

The Devices in the Apple Member Center website's personal account contains all the devices that are registered for development and testing, and the average personal Development Account accumulates up to a maximum of one device per year.

Apps signed by your or your team run only on designated development devices.

Apps run only on the test devices you specify.

Users can register or enable/disable (enable/disable) registered device on the website.

Devices in this article refers to an iOS device (Iphone/ipad) that is connected to Xcode that is authorized for development testing.

Third . Development certificate ( certificates)

1. Concept of certificates

A certificate is a document issued by a notary office or a certifying authority, which is a document indicating (or helping to determine) an affair. The tail of a document or voucher is usually stamped with the seal .

Every Chinese life may require more than 70 documents, including 15 types of identification. There are 30 to 40 "required" documents. Put these documents in chronological order, that is a life of the people of the Heavenly kingdom-with allo permission to land, to the registration certificate of naturalization, identity card authentication, holding a marriage certificate to legal cohabitation, and finally the death certificate to write off.

2. The concept of digital certificates

The digital certificate is a serial number that marks the identity of the communicating parties in the Internet communication, and provides a way to verify the identity of the communication entity on the Internet. It acts like a driver's license or an identity card in everyday life. It is issued by an authority-CA agency , also known as the Certificate Authority (Certificate authority), which can be used on the Internet to identify each other's identities.

A digital certificate is a file that is digitally signed by the Certificate Authority center that contains public key owner information and a public key. The simplest certificate contains a public key, a name, and a digital signature for the Certificate Authority Center.

Another important feature of digital certificates is timeliness: Valid only for a specific period of time.

The public key (public key) in the digital certificate is equivalent to the official seal.

The root certificate in a domain of authentication is the certificate issued by CA Certification Center, and it is the starting point of the trust chain. Installing the root certificate means trusting the CA certification Center.

To prevent GFW from having a man-in-the-middle attack (MitM), such as tampering with a GitHub certificate, and not having access to GitHub sites, you can choose not to trust cnnic:

In keychain-System, double-click Cnnic ROOT and in trust | When using this certificate drop-down select Never trust.

In the life of the Chinese people, the household registration certificate can be understood as the equivalent root certificates: With the registration certificate, in order to handle the identity card; with the high ID card, can handle the downstream residence permit, marriage certificate, family planning card, driving license and other certification.

3.iOS (development) certificate

iOS certificates are digital certificates used to certify the legality and completeness of iOS app content (executable code). For Applications (apps) that want to be installed on a real machine or published to AppStore, only signature verification (Signature Validated) ensures that the source is trustworthy and that the app content is intact and unaltered.

iOS certificates fall into two categories: development and production (distribution).

Development certificates are used to develop and debug applications: aDevelopment certificateidentifies you, as a team member, in a development Provisioning profile This allows apps signed by thelaunchon devices.

Production is primarily used to distribute applications (depending on the type of certificate): Adistribution Certificateidentifies your team or organization in a Distribution provisioning profile and allows-to-submityour app to the store. Only a team agent or an admin can create a distribution certificate.

An ordinary personal Development Account can enroll up to 2 iOS development/distribution certificates, and users can delete (Revoke) registered certificate on the website.

The following is a development certificate (Certificate for development) that is primarily developed for iOS app development during debugging.

Root certificate for the 4.iOS (development) certificate

So, who issued the iOS development certificate? or from which CA did we request a certificate for the Xcode development debug app?

iOS and Mac OS x systems (when installing Xcode) will automatically install applewwdrca.cer this intermediate certificate (Intermediate certificates), It is actually the certificate of the iOS (development) certificate, the root certificate (Apple root Certificate).

Applewwdrca (Apple Root CA) similar to the registered administration of the public security organs of the administrative body, applewwdrca.cer of the iOS (development) certificate is like a household registration card to the identity card.

If your Mac Keychain Access Certificate Assistant has not installed the certificate when you request a certificate, download the installation first (Signing requires that

You have both the signing identity and the intermediate certificate

Installed in your keychain).

5. Application for certificate (csr:certificate Signing request)

You can automatically request a certificate through the Xcode Fix issue when a certificate is missing, requesting a certificate from the certification authority through the Keychain Certificate Assistant : Fill in the Development Account email and the common name, tick "save to disk".

Keychain will generate a CSR(Certificate Signing Request) file that contains the developer identity information, and Keychain access| A pair of public/privatekeypairs (thissigning identity consists of a public-private key pair that Apple issues) will be added to the keys.

private key is always stored in Mac OS keychain access, used to sign (CodeSign) externally published apps, publickey typically with certificates (with provisioning Profile, which is distributed with the app) to verify the app signature. The user must protect the private key in the local keychain to take the security risk.

Keep a secure backup of your Public-private key pair. If the private key is lost, you'll have aentirely newidentity to sign code.

Worse, if someone else has your private key, then person May is able toimpersonate.

Upload the CSR file on the Apple Development Web site to add a certificate (Upload CSRs file to generate your certificate):

Apple Certification Authority Wwdrca(Apple Worldwide Developer Relations Certification authority) will use private key for public in the CSR Key and some identity information are cryptographically signed to generate digital certificates (Ios_development.cer) and are documented (Apple Member Center).

From Apple Member

Center website Download the certificate to the Mac double-click to install (of course, you can also add the Development Account in Xcode Auto-sync certificate and [build] profile). After the certificate is successfully installed, the keychainaccess| Key in keys that is generated when creating a CSR

The arrow in front of the private key in the pair to view the certificate that contains its corresponding public key (Your requested certificate will is the

Public half of the key pair.); keychain

access| In certificates, expand the arrow in front of the installed certificate (ios_development.cer) to see its corresponding private key.

Certificate is configured to "Xcode target| Build settings| Code signing| Code Signing Identity ", drop-down select identities from Profile" ... "(typically configure provisioning profiles first). The following is an example of the Xcode configuration:

Fourth. Provisioning Profiles ( Provisioning Profiles)

The concept of 1.Provisioning profile

The Provisioning profile contains all of the above: certificates, App IDs, and devices .

A provisioning profile corresponds to a explicit app ID or wildcard app

ID (a set of app IDs with the same prefix/seed). When you manually create a provisioning profile on a website, you need to specify the app in turn

ID (single), certificate (certificates, multi-Select) and device (Devices, multi-Select). Users can delete (delete) registered provisioning on the website


Provisioning profile determines which certificate (public key)/private key combination (key) used by Xcode

Pair/signing Identity) to sign the application (Signing

PRODUCT) that will be embedded in the. IPA package when the application is packaged. When installing the application, Provisioning

The profile file is copied to the iOS device, and the device running the iOS app authenticates the installed program.

If you want to package or run an app on a real machine, you typically go through the following three steps:

First, you need to indicate its app ID and verify that the bundle ID is consistent with it;

Second, the certificate corresponding to the private key to be signed, to identify the app is legitimate, secure, complete;

Then, if you are debugging a real machine, you need to confirm that the device is authorized to run the app.

Provisioning Profile Packs All this information together so that we are using it when debugging and distributing the program. This way, you can choose a different provisioning profile file under different circumstances.


Profile is also divided into development and distribution two categories, the validity of the same as certificate. Distribution version of Provisioningprofile is mainly used for submitting apps

Store audit, which does not specify devices (0,unlimited) for development testing. App ID is wildcard app ID (*). App

After the store has been approved on the shelves, allow all iOS devices (Deployment Target) to run on the app.

Xcode places all provisioning profiles (including manually downloaded and installed by users, and Xcode auto-created Team Provisioning profile) under directory ~/library/mobiledevice/provisioning profiles.

Composition of the 2.Provisioning profile

The following is a brief analysis of the composition of the typical provisioning profile *.mobileprovision:

(1)name: The file name of the mobileprovision.

(2)UUID: The true filename of the mobileprovision file.

(3)teamname: Apple ID account name.

(4)teamidentifier: Team Identity.

(5)appidname: Explicit/wildcard App ID name (applicationidentifierprefix).

(6)Applicationidentifierprefix: The full app ID prefix (teamidentifier.*).

(7)developercertificates: Contains all certificates that can be used to apply the signature to the configuration file.

Certificates are based on BASE64 encoding and are compliant with the PEM (privacyenhanced Mail, RFC 1848) format and can be processed using OpenSSL (opensslx509-text-in File.pem).

Extract the contents from developercertificates to File Cert.cer (cert.perm):


Copy the content between the


Right-click on Mac Quicklook View Cert.cer (cert.perm), right-click Get in keychain Access

Info view corresponding certificate ios_development.cer, normal (public private key keypair pairing) should match; there is not enough information (wwdrca.cer) under Windows to validate the certificate.

If you sign a certificate that is not in this list, the application will codesign Fail regardless of whether the certificate is valid.

(8) Theentitlements key corresponds to:

keychain-access-groups: $ (appidentifierprefix), see Code Signing entitlements(*.entitlements).

Each application has a keychainthat can be used to securely store information such as passwords, certifications, and in general, its own programs can only access their own keychain. You can also use keychain to share information between different applications under the same developer visa (that is, the same bundle seed) by setting some settings for the application signature. For example, you have a developer account and developed two different apps A and B, and then you can share the content in this keychain by specifying a shared access grouping for the Keychain Access group of A and B.

application-identifier: Full name with a prefix, such as $ (appidentifierprefix) APP group ID (group., see Code Signing entitlements(*.entitlements). with team identifier.

(9)provisioneddevices: The Udid of the mobileprovision authorized development equipment.

Provisioning profile is configured to "xcodetarget| Build settings| Code signing| Provisioning profile, and then in the Code Signing identity dropdown, select identities from Profile "..." (that is, Provisioning Certificates included in the profile).

Fifth . Development Group Provisioning Profiles ( Team Provisioning Profiles)

The concept of 1.Team Provisioning profile

Each Apple developer account corresponds to a unique team ID, andthe new feature of Team Provisioning profile is included in the Xcode3.2.3 release.

When you add an Apple Developer account in Xcode, it automatically generates an IOS Team Provisioning profile with Apple Member Center background blending (Managed by Xcode).

Team Provisioning profile contains an iOS team generated for the Xcode iOS Wildcard App ID (*)

Provisioning profile:* (Match all apps), all development in the account

Both certificates and devices can use it to debug all applications on all devices registered with the team (regardless of bundle

What identifier is). It also creates a corresponding iOS Team for the wildcard/explicit App IDs created by the developer

Provisioning profile.

2.Team Provisioning profile Generation/Update timing

Add an Apple ID account to Xcode

Fix issue "No Provisioning Profiles with a valid signing identity" in Xcode

Assign Your App to a Team in Xcode project settings of general| Identity

Register new device on the Apple development website or Xcode detected new device connected

Using the iOS Team Provisioning profile generated and managed by Xcode is easy to develop, and you don't need to manually generate download Provisioning profile on the website.

Team Provisioning profile is Provisioning profiles, but is automatically generated by Xcode and is also configured to "xcodetarget| Build settings| Code signing| Provisioning profile "under.

Sixth . APP Group (ID)

The concept of 1.APP group

WWDC14 IOS 8.0 is also starting to become more open, in addition to OS X v10.10 and SWITF released. When it comes to openness, of course, it's app extensions (app Extension). As the name implies, app extensions allow developers to extend the app's custom features and content, allowing them to use the functionality of other applications, enabling functionality and resource sharing across applications. The extension can be understood as a lightweight (nimble and lightweight) clone.

Extensions and their containing apps each have their own sandbox, although the extensions are embedded in the containing plug-in form

App, but they are separate binary packages and cannot exchange visits to each other's sandbox. To enable the containing app to share with extended data, Apple's iOS

8 introduces a new concept,--app group, which is used primarily for data sharing in apps under the same group, specifically through the app group

ID identifies the shared resource area--app Group Container.

The app Group ID, like the app ID, typically does not exceed 255 ASCII characters. Users can edit the app Group assignment of explicit app IDs on the website and delete (delete) the registered AppGroup (ID).

Configuration of the 2.APP group

The containing app and extension's explicit app ID must be assign to the same app group for data sharing, and the containing app and the extension app ID must be named according to the specification:

App IDs that are placed under the same app group must be unique (Explicit,not Wildcard)

Extension app ID to containing app ID Prefix/seed

If GarageBand this app ID is "", the app ID for plugins that support importing from a voice memo to a GarageBand app may be like " extimportrecording".

APP (ex)

App Group ID Provisioning Profile

Code Signing Identity

(Certificate Key Pair)App ID

(bundle identifier)Devices



Put in the same group: (1) Share the same certificate: Ios_development.cer

(2) Shared certificate key pair in the private key for

Authorization to develop test equipment udids

GarageBand Expansion Plug-in extimportrecording

About Provisioning profile, you can use your own manual build, or you can use Xcode Auto-generated team Provisioning profile.

APP Group will be configured to "Xcode target| Build settings| Code signing| Code Signing Entitlements "file (*.entitlements) under the key, does not affect the provisioning profile generation process.

Seventh . Certificates and signatures ( certificate& Signature)

1.Code Signing Identity

The code Signing configured in Xcode

The Identity (entitlements, certificate) must be associated with provisioning

Profile matches, and the configured certificate must have a corresponding public/private Key in the native keychain access

Pair, otherwise the compilation will error.

The MAC Device (System) on which Xcode is located uses the CA certificate (wwdrca.cer) to determine the legality of certificate in code Signing identity:

If the Wwdrca public key can successfully decrypt the certificate and obtain the public key and the content summary (Signature), prove that the certificate is Applewwdrca released, that is, the certificate source is trustworthy;

The hash algorithm is used to calculate the digest for the certificate itself, which proves that the certificate has not been tampered with, that is, the certificate is complete, if it is consistent with the digest obtained in the previous step.

2.Code Signing

Each certificate (in fact a public key) corresponds to a private key in the key pair that is used to executable the content (code,resources such as images and nib files aren ' t signed) Signature (CodeSign)--Generates a content Digest (Digest) using a hashing algorithm.

Xcode requires authorization when signing with the private key of the specified certificate companion, and after selecting always allow, the authorization confirmation window will no longer pop up by signing with the private key later.

3.Verify Code Signature with Certificate

As mentioned above, the public key is included in the digital certificate, and the digital certificate is included in the description file (Provisioning file), which is copied to the iOS device when the application is installed.

In the first step, when the app starts on the Mac/ios, it needs to match the configured bundle ID, entitlements, and certificate with the Provisioning profile:

The second step, the Ios/mac on the real machine Ios_development.cer is applewwdrca.cer in the public key decryption verification, obtain the trust of each development certificate can be trusted to verify the reliability and integrity of the app.

The IOS/MAC device (System) uses the development Certificate in app Provisioning profile (Code Signing Identity) to determine the legality of the app:

If the certificate public key can successfully decrypt the content summary (Signature) of the app (executable code), it proves that the app is issued by a certified developer, that is, the source is trustworthy;

The executable code itself uses a hash algorithm to calculate the digest, which, if consistent with the digest obtained in the previous step, proves that the app (executable code) has not been tampered with, that is, the content is complete.


The consistency of codesign was verified based on provisioning profile;

Based on the reliability and integrity of the certificate verification app;

At startup, the device ID (UUID) of the real machine must be in the provisioneddevices authorization of the provisioning profile.

Eight Sharing Development Accounts/certificates on multiple machines

1.Xcode Export Developer Account (*.developerprofile) or PKCS12 file (*.P12)

Go to Xcode preferences| Accounts:

Select the email from the Apple IDs list that corresponds to the account, click +-After? | Export Accounts, which can be exported with Account/code signing identity/provisioning profiles information. Developerprofile(Exporting a Developer profile) files are used by Xcode development on other machines (import the account).

Select a row in the bottom right list account Name entry | Viewdetails, you can view signing identities and provisioning Profiles.

Select the signing identity entry you want to export, click the bottom of the column +? | Export, you must enter the password, and you need to authorise export key "Privatekey" from Keychain, the CERTIFICATES.P12 will be exported .

Click the Refresh button in the lower left corner to sync all the provisioning profiles from Member center to Local.

Select one of the Provisioning profiles in the right-click List to "Show in Finder" to the [~/library/mobiledevice/provisioning\ Profiles] directory, where Provisioning The real name of the profile is $ (UUID). Mobileprovision, known as "2488109f-ff65-442e-9774-fd50bd6bc827.mobileprovision", Where name is the descriptive alias you see in Xcode.

2.Keychain Access Export PKCS12 file (*.P12)

in Keychain access| Certificates Select the certificate or its lower private key to export, right-click Export or through the menu file| Export Items certificates. P12 --pkcs12 file holds the private Key and Certificate .

On other Mac machines, double-click CERTIFICATES.P12 (password required) to install the shared certificate. After you have a shared certificate, register the iOS device you want to debug on the developer's website and download the corresponding certificate to authorize the iOS debug device provisioning

Profile file to develop debugging on iOS real-world devices.

Nine. certificate Configuration Common errors Such provisioning profile was found

Xcode target| genera| The Identity team prompts "Your build settings Specify a

Provisioning profile with the UUID "xxx", howerver, no such provisioning

Profile was found. "

Xcode target| buildsettings| Code Signing| The provisioning of the specified UDID currently configured

Profile does not exist locally, the provisioning profile needs to be changed at this time. If necessary, manually go to the website to download or regenerate provisioning

Profile or fix issue directly in Xcode (may automatically generate iOS Team provisioningprofile)!

2.No Identities from Profile

Build settings| After selecting the locally installed provisioning profile in Codesigning's provisioning profile, the Code Signing identity dropdown prompts no identities from the ... "or No identities from keychain.

The Xcode configuration specifies that the Developercertificates in provisioning profile for Udid does not exist in the local keychain (no identities is Available) or inconsistent (the private key in KeyPair is lost), you need to go to the website to check Provisioningprofile app Id-certificate-device configuration is correct. If it is a shared account (*.developerprofile) or shared certificate (*.P12) provided by someone else, make sure to export the private key in the corresponding key pair. Fix issue is also addressed directly in Xcode if necessary (may automatically generate iOS Team provisioningprofile).

3.Code Signing entitlements file do not match profiles

"Invalid application-identifier Entitlement" or "Code Signing entitlements file do not match those specified in your provi Sioning profile. (0xe8008016). "

(1) check the "Keychain Access Groups" in the specified *.entitlements file for the corresponding version (DEBUG) Whether the key value matches the entitlements term in provisioningprofile (the latter is generally the prefix/seed).

(2) It is also possible to Build settings| The entitlements of the corresponding version (DEBUG) in the provisioning profile of Code signing is empty.

4.Xcode configuration reactions are sometimes not so timely, you can refresh, reset the relevant configuration item switch (if available) or restart Xcode.

Source: Pinterest
Copyright belongs to the author. Commercial reprint please contact the author for authorization, non-commercial reprint please specify the source.

IOS Certificate Detailed

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.