Skip to main content

Apple certificate procedure

Apple must issue the end-entity certificate so that the Apple ecosystem trusts your signed binary. You must store this certificate in DigiCert​​®​​ Software Trust Manager along with your keypair, both for safekeeping and to allow for Apple signing using DigiCert​​®​​ Software Trust Manager . DigiCert​​®​​ Software Trust Manager allows you to sync the Apple certificate to your Apple OS for signing with our Apple signing workflows while storing your private key safely.

Store your keypair and certificate in DigiCert​​®​​ Software Trust Manager only. Delete local copies of the private key outside of DigiCert​​®​​ Software Trust Manager.

Prerequisites

Let's begin

Our Apple signing client (Software Trust Manager CryptoTokenKit) signs using a keypair stored in DigiCert​​®​​ Software Trust Manager . Below are two options to store your keypair in DigiCert​​®​​ Software Trust Manager:

Create new keypair in Software Trust Manager

  1. Navigate to DigiCert​​®​​ Software Trust Manager  > Keypairs, then select Create keypair.

  2. Create a keypair with a certificate. The certificate is needed for CSR generation with keytool. Instructions to generate a keypair

You can also Generate keypairs and certificates from the command line.

Import existing keypair to Software Trust Manager

  1. Generate the keypair on your local machine.

  2. Navigate to DigiCert​​®​​ Software Trust Manager  > Keypairs, then select Import keypair.

  3. Name your keypair in the Alias field.

  4. Select Upload PEM.

You can also import a keypair to DigiCert​​®​​ Software Trust Manager using Command Prompt.

Request Apple certificate

You will need a specific certificate type for different signing use cases. Refer to the certificate types table.

  1. Sign in to your Apple developer account.

  2. Select Certificates, IDs and Profiles.

  3. Review Certificate types supported by Apple to identify the certificate you require.

  4. Use the CSR created above to order your certificate from Apple.

  5. Download Apple certificate.

Import Apple certificate

  1. Navigate to DigiCert​​®​​ Software Trust Manager  > Keypairs.

  2. Select the menu icon next to keypair alias. Select Import certificate.

  3. Select the checkbox to make this Apple certificate the default certificate.

  4. Upload the Apple certificate.

Sync the Apple certificate to your macOS

Select all the keypairs you require for future signing before clicking “Set selected keys to token”. This action resets the token. Existing keys will be overwritten and will no longer be available.

  1. Open DigiCert​​®​​ Software Trust Manager Apple client.

  2. Use the DigiCert​​®​​ Software Trust Manager Apple client to sync the certificate to your Mac OS.

    1. Select Fetch keypairs to retrieve all keypairs with a valid certificate from DigiCert​​®​​ Software Trust Manager .

    2. Select Add new token to add a virtual token named "DigiCert.TokenExtension:SSM0123456789" to the MacOS.

    3. Select one or more keypairs from the table.

    4. Select Set selected keys to token to make the keys available to your Mac OS via the token. This allows Apple apps that are DigiCert​​®​​ Software Trust Manager Apple client-aware to consume the keys.

    5. Use one of the following commands to verify that the keypair has been added to the token:

      • List command security list-smartcard

      • List sample response DigiCert.TokenExtension:SSM0123456789

      • Export command security export-smartcard

      • Export sample response

        ==== private key #1
     crtr : 0
     esiz : 0
     decr : 0
     persistref : <>
     atag : ""
     kcls : 1
     agrp : "com.apple.token"
     pdmn : "dk"
     bsiz : 2,048
     type : 42
     klbl : <a8 66 8a 71 55 eb 1f 4a 89 22 3b 12 f1 53 a7 b5 a7 98 4c 8a>
     edat : 2001-01-01 00:00:00 +0000
     sign : 1
     mdat : 2022-01-20 05:43:35 +0000
     drve : 0
     labl : "Developer ID Installer: DigiCert Inc (DHPK4B64QS)"
     sync : 0
     musr : <>
     sha1 : <3b 46 36 61 77 72 20 82 64 93 ca 27 3d d8 3d 28 bd f8 ef 84>
     cdat : 2022-01-20 05:43:35 +0000
     tkid : "DigiCert.TokenExtension:SSM0123456789"
     sdat : 2001-01-01 00:00:00 +0000
     tomb : 0
     priv : 1
     accc : constraints: {
              ock : "NONE",
              osgn : "NONE",
              ord : "NONE",
              od : "NONE"
          }
          protection: {
              tkid : "DigiCert.TokenExtension:SSM0123456789"
          }
     unwp : 0
====

==== private key #2
     crtr : 0
     esiz : 0
     decr : 0
     persistref : <>
     atag : ""
     kcls : 1
     agrp : "com.apple.token"
     pdmn : "dk"
     bsiz : 2,048
     type : 42
     klbl : <11 66 33 2b 72 40 bd b9 19 cc 83 70 d4 e5 29 65 9f d5 f8 dd>
     edat : 2001-01-01 00:00:00 +0000
     sign : 1
     mdat : 2022-01-20 05:43:35 +0000
     drve : 0
     labl : "Apple Development: sagar.choudhari@digicert.com (NH6X97J5CU)"
     sync : 0
     musr : <>
     sha1 : <b3 5b c2 8d c1 0c 7e c4 aa aa f8 e1 ce 2d 7e 25 94 2d 88 79>
     cdat : 2022-01-20 05:43:35 +0000
     tkid : "DigiCert.TokenExtension:SSM0123456789"
     sdat : 2001-01-01 00:00:00 +0000
     tomb : 0
     priv : 1
     accc : constraints: {
              ock : "NONE",
              osgn : "NONE",
              ord : "NONE",
              od : "NONE"
          }
          protection: {
              tkid : "DigiCert.TokenExtension:SSM0123456789"
          }
     unwp : 0
====

==== identity #1
     class : "idnt"
     slnr : <54 79 df 37 c1 24 fb 57>
     certdata : <CFData 0x7f8202808c00 [0x7fff803712d0]>{length = 1453, capacity = 1453, bytes = 0x308205a930820491a003020102020854 ... 3f14cddd089f2e42}
     certtkid : "DigiCert.TokenExtension:SSM0123456789"
     priv : 1
     ctyp : 3
     mdat : 2022-01-20 05:43:35 +0000
     sdat : 2001-01-01 00:00:00 +0000
     bsiz : 2,048
     type : 42
     sha1 : <1e 50 02 96 93 92 2d 2f 7e fc f7 54 88 18 9c 49 ed 3b f0 bb>
     pkhh : <a8 66 8a 71 55 eb 1f 4a 89 22 3b 12 f1 53 a7 b5 a7 98 4c 8a>
     cdat : 2022-01-20 05:43:35 +0000
     skid : <a8 66 8a 71 55 eb 1f 4a 89 22 3b 12 f1 53 a7 b5 a7 98 4c 8a>
     tomb : 0
     UUID : "0DB21CE5-D9A4-4BD9-9D62-98AA90D98709"
     persistref : <>
     accc : constraints: {
              ock : "NONE",
              osgn : "NONE",
              ord : "NONE",
              od : "NONE"
          }
          protection: {
              tkid : "DigiCert.TokenExtension:SSM0123456789"
          }
     sync : 0
     tkid : "DigiCert.TokenExtension:SSM0123456789"
     pdmn : "dk"
     musr : <>
     subj : <31 1a 30 18 06 0a 09 92 26 89 93 f2 2c 64 01 01 0c 0a 44 48 50 4b 34 42 36 34 51 53 31 3d 30 3b 06 03 55 04 03 0c 34 44 65 76 65 6c 6f 70 65 72 20 49 44 20 49 6e 73 74 61 6c 6c 65 72 3a 20 52 6f 73 65 6d 61 72 79 20 54 68 6f 6d 61 73 20 28 44 48 50 4b 34 42 36 34 51 53 29 31 13 30 11 06 03 55 04 0b 0c 0a 44 48 50 4b 34 42 36 34 51 53 31 18 30 16 06 03 55 04 0a 0c 0f 52 6f 73 65 6d 61 72 79 20 54 68 6f 6d 61 73 31 0b 30 09 06 03 55 04 06 13 02 55 53>
     sign : 1
     esiz : 0
     decr : 0
     atag : ""
     edat : 2001-01-01 00:00:00 +0000
     klbl : <a8 66 8a 71 55 eb 1f 4a 89 22 3b 12 f1 53 a7 b5 a7 98 4c 8a>
     crtr : 0
     unwp : 0
     issr : <31 2d 30 2b 06 03 55 04 03 0c 24 44 65 76 65 6c 6f 70 65 72 20 49 44 20 43 65 72 74 69 66 69 63 61 74 69 6f 6e 20 41 75 74 68 6f 72 69 74 79 31 26 30 24 06 03 55 04 0b 0c 1d 41 70 70 6c 65 20 43 65 72 74 69 66 69 63 61 74 69 6f 6e 20 41 75 74 68 6f 72 69 74 79 31 13 30 11 06 03 55 04 0a 0c 0a 41 70 70 6c 65 20 49 6e 63 2e 31 0b 30 09 06 03 55 04 06 13 02 55 53>
     cenc : 3
     kcls : 1
     agrp : "com.apple.token"
     labl : "MacAppDistribution_Automation_AppleProductSigner_Approval_Requested_WIN_THE_CUSTOMER_LLC"
     drve : 0
====

==== identity #2
     class : "idnt"
     slnr : <64 53 07 40 be 0b 9b f8 19 d4 88 7a 51 0a 5a 05>
     certdata : <CFData 0x7f81ff81c800 [0x7fff803712d0]>{length = 1501, capacity = 1501, bytes = 0x308205d9308204c1a003020102021064 ... 5583bcec59e83eaf}
     certtkid : "DigiCert.TokenExtension:SSM0123456789"
     priv : 1
     ctyp : 3
     mdat : 2022-01-20 05:43:35 +0000
     sdat : 2001-01-01 00:00:00 +0000
     bsiz : 2,048
     type : 42
     sha1 : <dd 9a af 0f aa ab d3 69 4f 6a 2a 3b 59 54 d3 83 e3 3b 19 ab>
     pkhh : <11 66 33 2b 72 40 bd b9 19 cc 83 70 d4 e5 29 65 9f d5 f8 dd>
     cdat : 2022-01-20 05:43:35 +0000
     skid : <11 66 33 2b 72 40 bd b9 19 cc 83 70 d4 e5 29 65 9f d5 f8 dd>
     tomb : 0
     UUID : "C46C1945-7642-4186-B6D3-427CB2DD06DD"
     persistref : <>
     accc : constraints: {
              ock : "NONE",
              osgn : "NONE",
              ord : "NONE",
              od : "NONE"
          }
          protection: {
              tkid : "DigiCert.TokenExtension:SSM0123456789"
          }
     sync : 0
     tkid : "DigiCert.TokenExtension:SSM0123456789"
     pdmn : "dk"
     musr : <>
     subj : <31 1a 30 18 06 0a 09 92 26 89 93 f2 2c 64 01 01 0c 0a 39 38 5a 32 50 46 4c 55 36 47 31 45 30 43 06 03 55 04 03 0c 3c 41 70 70 6c 65 20 44 65 76 65 6c 6f 70 6d 65 6e 74 3a 20 73 61 67 61 72 2e 63 68 6f 75 64 68 61 72 69 40 64 69 67 69 63 65 72 74 2e 63 6f 6d 20 28 4e 48 36 58 39 37 4a 35 43 55 29 31 13 30 11 06 03 55 04 0b 0c 0a 46 34 41 4c 59 44 4a 39 59 4e 31 18 30 16 06 03 55 04 0a 0c 0f 53 61 67 61 72 20 43 68 6f 75 64 68 61 72 69 31 0b 30 09 06 03 55 04 06 13 02 55 53>
     sign : 1
     esiz : 0
     decr : 0
     atag : ""
     edat : 2001-01-01 00:00:00 +0000
     klbl : <11 66 33 2b 72 40 bd b9 19 cc 83 70 d4 e5 29 65 9f d5 f8 dd>
     crtr : 0
     unwp : 0
     issr : <31 44 30 42 06 03 55 04 03 0c 3b 41 70 70 6c 65 20 57 6f 72 6c 64 77 69 64 65 20 44 65 76 65 6c 6f 70 65 72 20 52 65 6c 61 74 69 6f 6e 73 20 43 65 72 74 69 66 69 63 61 74 69 6f 6e 20 41 75 74 68 6f 72 69 74 79 31 0b 30 09 06 03 55 04 0b 0c 02 47 33 31 13 30 11 06 03 55 04 0a 0c 0a 41 70 70 6c 65 20 49 6e 63 2e 31 0b 30 09 06 03 55 04 06 13 02 55 53>
     cenc : 3
     kcls : 1
     agrp : "com.apple.token"
     labl : "apple_key"
     drve : 0
====

==== certificate #1
     class : "cert"
     subj : <31 1a 30 18 06 0a 09 92 26 89 93 f2 2c 64 01 01 0c 0a 39 38 5a 32 50 46 4c 55 36 47 31 45 30 43 06 03 55 04 03 0c 3c 41 70 70 6c 65 20 44 65 76 65 6c 6f 70 6d 65 6e 74 3a 20 73 61 67 61 72 2e 63 68 6f 75 64 68 61 72 69 40 64 69 67 69 63 65 72 74 2e 63 6f 6d 20 28 4e 48 36 58 39 37 4a 35 43 55 29 31 13 30 11 06 03 55 04 0b 0c 0a 46 34 41 4c 59 44 4a 39 59 4e 31 18 30 16 06 03 55 04 0a 0c 0f 53 61 67 61 72 20 43 68 6f 75 64 68 61 72 69 31 0b 30 09 06 03 55 04 06 13 02 55 53>
     cenc : 3
     ctyp : 3
     pkhh : <11 66 33 2b 72 40 bd b9 19 cc 83 70 d4 e5 29 65 9f d5 f8 dd>
     persistref : <>
     agrp : "com.apple.token"
     pdmn : "dk"
     labl : "apple_key"
     UUID : "C46C1945-7642-4186-B6D3-427CB2DD06DD"
     mdat : 2022-01-20 05:43:35 +0000
     slnr : <64 53 07 40 be 0b 9b f8 19 d4 88 7a 51 0a 5a 05>
     sync : 0
     sha1 : <dd 9a af 0f aa ab d3 69 4f 6a 2a 3b 59 54 d3 83 e3 3b 19 ab>
     tkid : "DigiCert.TokenExtension:SSM0123456789"
     musr : <>
     cdat : 2022-01-20 05:43:35 +0000
     tomb : 0
     skid : <11 66 33 2b 72 40 bd b9 19 cc 83 70 d4 e5 29 65 9f d5 f8 dd>
     issr : <31 44 30 42 06 03 55 04 03 0c 3b 41 70 70 6c 65 20 57 6f 72 6c 64 77 69 64 65 20 44 65 76 65 6c 6f 70 65 72 20 52 65 6c 61 74 69 6f 6e 73 20 43 65 72 74 69 66 69 63 61 74 69 6f 6e 20 41 75 74 68 6f 72 69 74 79 31 0b 30 09 06 03 55 04 0b 0c 02 47 33 31 13 30 11 06 03 55 04 0a 0c 0a 41 70 70 6c 65 20 49 6e 63 2e 31 0b 30 09 06 03 55 04 06 13 02 55 53>
     accc : constraints: {
              ord : true
          }
          protection: {
              tkid : "DigiCert.TokenExtension:SSM0123456789"
          }
====

==== certificate #2
     class : "cert"
     subj : <31 1a 30 18 06 0a 09 92 26 89 93 f2 2c 64 01 01 0c 0a 44 48 50 4b 34 42 36 34 51 53 31 3d 30 3b 06 03 55 04 03 0c 34 44 65 76 65 6c 6f 70 65 72 20 49 44 20 49 6e 73 74 61 6c 6c 65 72 3a 20 52 6f 73 65 6d 61 72 79 20 54 68 6f 6d 61 73 20 28 44 48 50 4b 34 42 36 34 51 53 29 31 13 30 11 06 03 55 04 0b 0c 0a 44 48 50 4b 34 42 36 34 51 53 31 18 30 16 06 03 55 04 0a 0c 0f 52 6f 73 65 6d 61 72 79 20 54 68 6f 6d 61 73 31 0b 30 09 06 03 55 04 06 13 02 55 53>
     cenc : 3
     ctyp : 3
     pkhh : <a8 66 8a 71 55 eb 1f 4a 89 22 3b 12 f1 53 a7 b5 a7 98 4c 8a>
     persistref : <>
     agrp : "com.apple.token"
     pdmn : "dk"
     labl : "MacAppDistribution_Automation_AppleProductSigner_Approval_Requested_WIN_THE_CUSTOMER_LLC"
     UUID : "0DB21CE5-D9A4-4BD9-9D62-98AA90D98709"
     mdat : 2022-01-20 05:43:35 +0000
     slnr : <54 79 df 37 c1 24 fb 57>
     sync : 0
     sha1 : <1e 50 02 96 93 92 2d 2f 7e fc f7 54 88 18 9c 49 ed 3b f0 bb>
     tkid : "DigiCert.TokenExtension:SSM0123456789"
     musr : <>
     cdat : 2022-01-20 05:43:35 +0000
     tomb : 0
     skid : <a8 66 8a 71 55 eb 1f 4a 89 22 3b 12 f1 53 a7 b5 a7 98 4c 8a>
     issr : <31 2d 30 2b 06 03 55 04 03 0c 24 44 65 76 65 6c 6f 70 65 72 20 49 44 20 43 65 72 74 69 66 69 63 61 74 69 6f 6e 20 41 75 74 68 6f 72 69 74 79 31 26 30 24 06 03 55 04 0b 0c 1d 41 70 70 6c 65 20 43 65 72 74 69 66 69 63 61 74 69 6f 6e 20 41 75 74 68 6f 72 69 74 79 31 13 30 11 06 03 55 04 0a 0c 0a 41 70 70 6c 65 20 49 6e 63 2e 31 0b 30 09 06 03 55 04 06 13 02 55 53>
     accc : constraints: {
              ord : true
          }
          protection: {
              tkid : "DigiCert.TokenExtension:SSM0123456789"
          }

Related articles

En esta sección: