Apple certificate procedure
Apple must issue the end-entity certificate so that the Apple ecosystem trusts your signed binary. You must store this certificate in DigiCert® Software Trust Manager along with your keypair, both for safekeeping and to allow for Apple signing using DigiCert® Software Trust Manager . DigiCert® Software Trust Manager allows you to sync the Apple certificate to your Apple OS for signing with our Apple signing workflows while storing your private key safely.
Store your keypair and certificate in DigiCert® Software Trust Manager only. Delete local copies of the private key outside of DigiCert® Software Trust Manager.
Prerequisites
Create a keypair in Software Trust Manager or import a keypair into Software Trust Manager
Generate a CSR for the keypair stored in Software Trust Manager
Apple developer username and password
Let's begin
Our Apple signing client (Software Trust Manager CryptoTokenKit) signs using a keypair stored in DigiCert® Software Trust Manager . Below are two options to store your keypair in DigiCert® Software Trust Manager:
Create new keypair in Software Trust Manager
Navigate to DigiCert® Software Trust Manager > Keypairs, then select Create keypair.
Create a keypair with a certificate. The certificate is needed for CSR generation with keytool. Instructions to generate a keypair
You can also Generate keypairs and certificates from the command line.
Import existing keypair to Software Trust Manager
Generate the keypair on your local machine.
Navigate to DigiCert® Software Trust Manager > Keypairs, then select Import keypair.
Name your keypair in the Alias field.
Select Upload PEM.
You can also import a keypair to DigiCert® Software Trust Manager using Command Prompt.
Request Apple certificate
You will need a specific certificate type for different signing use cases. Refer to the certificate types table.
Sign in to your Apple developer account.
Select Certificates, IDs and Profiles.
Review Certificate types supported by Apple to identify the certificate you require.
Use the CSR created above to order your certificate from Apple.
Download Apple certificate.
Import Apple certificate
Navigate to DigiCert® Software Trust Manager > Keypairs.
Select the menu icon next to keypair alias. Select Import certificate.
Select the checkbox to make this Apple certificate the default certificate.
Upload the Apple certificate.
Sync the Apple certificate to your macOS
Select all the keypairs you require for future signing before clicking “Set selected keys to token”. This action resets the token. Existing keys will be overwritten and will no longer be available.
Open DigiCert® Software Trust Manager Apple client.
Use the DigiCert® Software Trust Manager Apple client to sync the certificate to your Mac OS.
Select Fetch keypairs to retrieve all keypairs with a valid certificate from DigiCert® Software Trust Manager .
Select Add new token to add a virtual token named "DigiCert.TokenExtension:SSM0123456789" to the MacOS.
Select one or more keypairs from the table.
Select Set selected keys to token to make the keys available to your Mac OS via the token. This allows Apple apps that are DigiCert® Software Trust Manager Apple client-aware to consume the keys.
Use one of the following commands to verify that the keypair has been added to the token:
List command
security list-smartcard
List sample response
DigiCert.TokenExtension:SSM0123456789
Export command
security export-smartcard
Export sample response
==== private key #1 crtr : 0 esiz : 0 decr : 0 persistref : <> atag : "" kcls : 1 agrp : "com.apple.token" pdmn : "dk" bsiz : 2,048 type : 42 klbl : <a8 66 8a 71 55 eb 1f 4a 89 22 3b 12 f1 53 a7 b5 a7 98 4c 8a> edat : 2001-01-01 00:00:00 +0000 sign : 1 mdat : 2022-01-20 05:43:35 +0000 drve : 0 labl : "Developer ID Installer: DigiCert Inc (DHPK4B64QS)" sync : 0 musr : <> sha1 : <3b 46 36 61 77 72 20 82 64 93 ca 27 3d d8 3d 28 bd f8 ef 84> cdat : 2022-01-20 05:43:35 +0000 tkid : "DigiCert.TokenExtension:SSM0123456789" sdat : 2001-01-01 00:00:00 +0000 tomb : 0 priv : 1 accc : constraints: { ock : "NONE", osgn : "NONE", ord : "NONE", od : "NONE" } protection: { tkid : "DigiCert.TokenExtension:SSM0123456789" } unwp : 0 ==== ==== private key #2 crtr : 0 esiz : 0 decr : 0 persistref : <> atag : "" kcls : 1 agrp : "com.apple.token" pdmn : "dk" bsiz : 2,048 type : 42 klbl : <11 66 33 2b 72 40 bd b9 19 cc 83 70 d4 e5 29 65 9f d5 f8 dd> edat : 2001-01-01 00:00:00 +0000 sign : 1 mdat : 2022-01-20 05:43:35 +0000 drve : 0 labl : "Apple Development: sagar.choudhari@digicert.com (NH6X97J5CU)" sync : 0 musr : <> sha1 : <b3 5b c2 8d c1 0c 7e c4 aa aa f8 e1 ce 2d 7e 25 94 2d 88 79> cdat : 2022-01-20 05:43:35 +0000 tkid : "DigiCert.TokenExtension:SSM0123456789" sdat : 2001-01-01 00:00:00 +0000 tomb : 0 priv : 1 accc : constraints: { ock : "NONE", osgn : "NONE", ord : "NONE", od : "NONE" } protection: { tkid : "DigiCert.TokenExtension:SSM0123456789" } unwp : 0 ==== ==== identity #1 class : "idnt" slnr : <54 79 df 37 c1 24 fb 57> certdata : <CFData 0x7f8202808c00 [0x7fff803712d0]>{length = 1453, capacity = 1453, bytes = 0x308205a930820491a003020102020854 ... 3f14cddd089f2e42} certtkid : "DigiCert.TokenExtension:SSM0123456789" priv : 1 ctyp : 3 mdat : 2022-01-20 05:43:35 +0000 sdat : 2001-01-01 00:00:00 +0000 bsiz : 2,048 type : 42 sha1 : <1e 50 02 96 93 92 2d 2f 7e fc f7 54 88 18 9c 49 ed 3b f0 bb> pkhh : <a8 66 8a 71 55 eb 1f 4a 89 22 3b 12 f1 53 a7 b5 a7 98 4c 8a> cdat : 2022-01-20 05:43:35 +0000 skid : <a8 66 8a 71 55 eb 1f 4a 89 22 3b 12 f1 53 a7 b5 a7 98 4c 8a> tomb : 0 UUID : "0DB21CE5-D9A4-4BD9-9D62-98AA90D98709" persistref : <> accc : constraints: { ock : "NONE", osgn : "NONE", ord : "NONE", od : "NONE" } protection: { tkid : "DigiCert.TokenExtension:SSM0123456789" } sync : 0 tkid : "DigiCert.TokenExtension:SSM0123456789" pdmn : "dk" musr : <> subj : <31 1a 30 18 06 0a 09 92 26 89 93 f2 2c 64 01 01 0c 0a 44 48 50 4b 34 42 36 34 51 53 31 3d 30 3b 06 03 55 04 03 0c 34 44 65 76 65 6c 6f 70 65 72 20 49 44 20 49 6e 73 74 61 6c 6c 65 72 3a 20 52 6f 73 65 6d 61 72 79 20 54 68 6f 6d 61 73 20 28 44 48 50 4b 34 42 36 34 51 53 29 31 13 30 11 06 03 55 04 0b 0c 0a 44 48 50 4b 34 42 36 34 51 53 31 18 30 16 06 03 55 04 0a 0c 0f 52 6f 73 65 6d 61 72 79 20 54 68 6f 6d 61 73 31 0b 30 09 06 03 55 04 06 13 02 55 53> sign : 1 esiz : 0 decr : 0 atag : "" edat : 2001-01-01 00:00:00 +0000 klbl : <a8 66 8a 71 55 eb 1f 4a 89 22 3b 12 f1 53 a7 b5 a7 98 4c 8a> crtr : 0 unwp : 0 issr : <31 2d 30 2b 06 03 55 04 03 0c 24 44 65 76 65 6c 6f 70 65 72 20 49 44 20 43 65 72 74 69 66 69 63 61 74 69 6f 6e 20 41 75 74 68 6f 72 69 74 79 31 26 30 24 06 03 55 04 0b 0c 1d 41 70 70 6c 65 20 43 65 72 74 69 66 69 63 61 74 69 6f 6e 20 41 75 74 68 6f 72 69 74 79 31 13 30 11 06 03 55 04 0a 0c 0a 41 70 70 6c 65 20 49 6e 63 2e 31 0b 30 09 06 03 55 04 06 13 02 55 53> cenc : 3 kcls : 1 agrp : "com.apple.token" labl : "MacAppDistribution_Automation_AppleProductSigner_Approval_Requested_WIN_THE_CUSTOMER_LLC" drve : 0 ==== ==== identity #2 class : "idnt" slnr : <64 53 07 40 be 0b 9b f8 19 d4 88 7a 51 0a 5a 05> certdata : <CFData 0x7f81ff81c800 [0x7fff803712d0]>{length = 1501, capacity = 1501, bytes = 0x308205d9308204c1a003020102021064 ... 5583bcec59e83eaf} certtkid : "DigiCert.TokenExtension:SSM0123456789" priv : 1 ctyp : 3 mdat : 2022-01-20 05:43:35 +0000 sdat : 2001-01-01 00:00:00 +0000 bsiz : 2,048 type : 42 sha1 : <dd 9a af 0f aa ab d3 69 4f 6a 2a 3b 59 54 d3 83 e3 3b 19 ab> pkhh : <11 66 33 2b 72 40 bd b9 19 cc 83 70 d4 e5 29 65 9f d5 f8 dd> cdat : 2022-01-20 05:43:35 +0000 skid : <11 66 33 2b 72 40 bd b9 19 cc 83 70 d4 e5 29 65 9f d5 f8 dd> tomb : 0 UUID : "C46C1945-7642-4186-B6D3-427CB2DD06DD" persistref : <> accc : constraints: { ock : "NONE", osgn : "NONE", ord : "NONE", od : "NONE" } protection: { tkid : "DigiCert.TokenExtension:SSM0123456789" } sync : 0 tkid : "DigiCert.TokenExtension:SSM0123456789" pdmn : "dk" musr : <> subj : <31 1a 30 18 06 0a 09 92 26 89 93 f2 2c 64 01 01 0c 0a 39 38 5a 32 50 46 4c 55 36 47 31 45 30 43 06 03 55 04 03 0c 3c 41 70 70 6c 65 20 44 65 76 65 6c 6f 70 6d 65 6e 74 3a 20 73 61 67 61 72 2e 63 68 6f 75 64 68 61 72 69 40 64 69 67 69 63 65 72 74 2e 63 6f 6d 20 28 4e 48 36 58 39 37 4a 35 43 55 29 31 13 30 11 06 03 55 04 0b 0c 0a 46 34 41 4c 59 44 4a 39 59 4e 31 18 30 16 06 03 55 04 0a 0c 0f 53 61 67 61 72 20 43 68 6f 75 64 68 61 72 69 31 0b 30 09 06 03 55 04 06 13 02 55 53> sign : 1 esiz : 0 decr : 0 atag : "" edat : 2001-01-01 00:00:00 +0000 klbl : <11 66 33 2b 72 40 bd b9 19 cc 83 70 d4 e5 29 65 9f d5 f8 dd> crtr : 0 unwp : 0 issr : <31 44 30 42 06 03 55 04 03 0c 3b 41 70 70 6c 65 20 57 6f 72 6c 64 77 69 64 65 20 44 65 76 65 6c 6f 70 65 72 20 52 65 6c 61 74 69 6f 6e 73 20 43 65 72 74 69 66 69 63 61 74 69 6f 6e 20 41 75 74 68 6f 72 69 74 79 31 0b 30 09 06 03 55 04 0b 0c 02 47 33 31 13 30 11 06 03 55 04 0a 0c 0a 41 70 70 6c 65 20 49 6e 63 2e 31 0b 30 09 06 03 55 04 06 13 02 55 53> cenc : 3 kcls : 1 agrp : "com.apple.token" labl : "apple_key" drve : 0 ==== ==== certificate #1 class : "cert" subj : <31 1a 30 18 06 0a 09 92 26 89 93 f2 2c 64 01 01 0c 0a 39 38 5a 32 50 46 4c 55 36 47 31 45 30 43 06 03 55 04 03 0c 3c 41 70 70 6c 65 20 44 65 76 65 6c 6f 70 6d 65 6e 74 3a 20 73 61 67 61 72 2e 63 68 6f 75 64 68 61 72 69 40 64 69 67 69 63 65 72 74 2e 63 6f 6d 20 28 4e 48 36 58 39 37 4a 35 43 55 29 31 13 30 11 06 03 55 04 0b 0c 0a 46 34 41 4c 59 44 4a 39 59 4e 31 18 30 16 06 03 55 04 0a 0c 0f 53 61 67 61 72 20 43 68 6f 75 64 68 61 72 69 31 0b 30 09 06 03 55 04 06 13 02 55 53> cenc : 3 ctyp : 3 pkhh : <11 66 33 2b 72 40 bd b9 19 cc 83 70 d4 e5 29 65 9f d5 f8 dd> persistref : <> agrp : "com.apple.token" pdmn : "dk" labl : "apple_key" UUID : "C46C1945-7642-4186-B6D3-427CB2DD06DD" mdat : 2022-01-20 05:43:35 +0000 slnr : <64 53 07 40 be 0b 9b f8 19 d4 88 7a 51 0a 5a 05> sync : 0 sha1 : <dd 9a af 0f aa ab d3 69 4f 6a 2a 3b 59 54 d3 83 e3 3b 19 ab> tkid : "DigiCert.TokenExtension:SSM0123456789" musr : <> cdat : 2022-01-20 05:43:35 +0000 tomb : 0 skid : <11 66 33 2b 72 40 bd b9 19 cc 83 70 d4 e5 29 65 9f d5 f8 dd> issr : <31 44 30 42 06 03 55 04 03 0c 3b 41 70 70 6c 65 20 57 6f 72 6c 64 77 69 64 65 20 44 65 76 65 6c 6f 70 65 72 20 52 65 6c 61 74 69 6f 6e 73 20 43 65 72 74 69 66 69 63 61 74 69 6f 6e 20 41 75 74 68 6f 72 69 74 79 31 0b 30 09 06 03 55 04 0b 0c 02 47 33 31 13 30 11 06 03 55 04 0a 0c 0a 41 70 70 6c 65 20 49 6e 63 2e 31 0b 30 09 06 03 55 04 06 13 02 55 53> accc : constraints: { ord : true } protection: { tkid : "DigiCert.TokenExtension:SSM0123456789" } ==== ==== certificate #2 class : "cert" subj : <31 1a 30 18 06 0a 09 92 26 89 93 f2 2c 64 01 01 0c 0a 44 48 50 4b 34 42 36 34 51 53 31 3d 30 3b 06 03 55 04 03 0c 34 44 65 76 65 6c 6f 70 65 72 20 49 44 20 49 6e 73 74 61 6c 6c 65 72 3a 20 52 6f 73 65 6d 61 72 79 20 54 68 6f 6d 61 73 20 28 44 48 50 4b 34 42 36 34 51 53 29 31 13 30 11 06 03 55 04 0b 0c 0a 44 48 50 4b 34 42 36 34 51 53 31 18 30 16 06 03 55 04 0a 0c 0f 52 6f 73 65 6d 61 72 79 20 54 68 6f 6d 61 73 31 0b 30 09 06 03 55 04 06 13 02 55 53> cenc : 3 ctyp : 3 pkhh : <a8 66 8a 71 55 eb 1f 4a 89 22 3b 12 f1 53 a7 b5 a7 98 4c 8a> persistref : <> agrp : "com.apple.token" pdmn : "dk" labl : "MacAppDistribution_Automation_AppleProductSigner_Approval_Requested_WIN_THE_CUSTOMER_LLC" UUID : "0DB21CE5-D9A4-4BD9-9D62-98AA90D98709" mdat : 2022-01-20 05:43:35 +0000 slnr : <54 79 df 37 c1 24 fb 57> sync : 0 sha1 : <1e 50 02 96 93 92 2d 2f 7e fc f7 54 88 18 9c 49 ed 3b f0 bb> tkid : "DigiCert.TokenExtension:SSM0123456789" musr : <> cdat : 2022-01-20 05:43:35 +0000 tomb : 0 skid : <a8 66 8a 71 55 eb 1f 4a 89 22 3b 12 f1 53 a7 b5 a7 98 4c 8a> issr : <31 2d 30 2b 06 03 55 04 03 0c 24 44 65 76 65 6c 6f 70 65 72 20 49 44 20 43 65 72 74 69 66 69 63 61 74 69 6f 6e 20 41 75 74 68 6f 72 69 74 79 31 26 30 24 06 03 55 04 0b 0c 1d 41 70 70 6c 65 20 43 65 72 74 69 66 69 63 61 74 69 6f 6e 20 41 75 74 68 6f 72 69 74 79 31 13 30 11 06 03 55 04 0a 0c 0a 41 70 70 6c 65 20 49 6e 63 2e 31 0b 30 09 06 03 55 04 06 13 02 55 53> accc : constraints: { ord : true } protection: { tkid : "DigiCert.TokenExtension:SSM0123456789" }