Apple certificate procedure
Apple must issue the end-entity certificate so that the Apple ecosystem trusts your signed binary. You must store this certificate in DigiCert® Software Trust Manager along with your keypair, both for safekeeping and to allow for Apple signing using Software Trust Manager . Software Trust Manager allows you to sync the Apple certificate to your Apple OS for signing with our Apple signing workflows while storing your private key safely.
Store your keypair and certificate in Software Trust Manager only. Delete local copies of the private key outside of Software Trust Manager.
Tip
The Apple certificate procedure expects the keypair to meet the following requirements:
Algorithm: RSA
Key size: 2048
Keypair category: Production
Keypair type: Static
However, we have provided a workaround for using test certificates, but test certificates only allow you to sign with codesign.
Prerequisites
Create a keypair in Software Trust Manager or import a keypair into Software Trust Manager
Generate a CSR for the keypair stored in Software Trust Manager
Apple developer username and password
Let's begin
Our Apple signing client (CryptoTokenKit) signs using a keypair stored in Software Trust Manager .
Below are two options to store your keypair in Software Trust Manager:
Create new keypair in Software Trust Manager
Sign in to DigiCert ONE.
Select the Manager menu (top right) > Software Trust.
Navigate to: Keypairs > Create keypair.
Complete the following fields:
Field
Description
Keypair type
Select Static (keypair will remain the same) or Dynamic (keypair will change every time you complete a signature).
Keypair alias
Name to uniquely identify this keypair.
Team
Select a team that should have access to this keypair. You will only see this field if you enable Teams under Account settings.
Keypair profile
Select a keypair profile. If you have selected a team. you will only see keypair profiles allocated to that team.
Algorithm
Select RSA.
Key size
Select 2048.
Keypair category
Select Production.
Keypair storage
Select one of the following key storage methods:
SoftHSM
HSM
Disk
Keypair storage provide the following security levels:
Level 3
Key is stored in an HSM that is CA/B compliant. This storage method is FIPS 140-2 Level 2, Common Criteria EAL4+, an equivalent or higher, and therefore is compatible with publicly or privately trusted certificates.
Level 2
Key is stored in an HSM with a certification is lower than level 3. This storage is only compatible for privately trusted certificates.
Level 1
Key is stored in an uncertified but secure softHSM. This storage is only compatible for privately trusted certificates.
Opmerking
To use use DPoD HSM storage, DPoD must be set up in CA Manager and enabled for your account.
Keypair status
Select Online to generate a keypair that can be used to sign at any time.
Select Offline to generate a keypair that can only be used to sign during a release window.
Access
Select Open to allow any user within your account access to the keypair.
Select Restricted to limit access to the keypair to specified users, user group, or team.
Allowed users
For Restricted keypairs, you can specify which users can use the keypair.
Allowed user groups
For Restricted keypairs, you can specify one or more groups that are authorized to use the keypair.
Generate certificate
Select this box to generate a keypair with a corresponding default certificate.
Tip
The certificate is required for CSR generation with keytool.
Click Create keypair.
Import keypair
You require the Import keypair
permission to import a certificate.
To import a keypair:
Sign in to DigiCert ONE.
Select the Manager menu (top right) > Software Trust.
Navigate to: Keypairs > Import keypair.
Select Upload PEM.
Request Apple certificate
You will need a specific certificate type for different signing use cases. Refer to the certificate types table.
Sign in to your Apple developer account.
Select Certificates, IDs and Profiles.
Review Certificate types supported by Apple to identify the certificate you require.
Use the CSR created above to order your certificate from Apple.
Download Apple certificate.
Import Apple certificate
Navigate to DigiCert® Software Trust Manager > Keypairs.
Select the menu icon next to keypair alias. Select Import certificate.
Select the checkbox to make this Apple certificate the default certificate.
Upload the Apple certificate.
Sync the Apple certificate to your macOS
Select all the keypairs you require for future signing before clicking “Set selected keys to token”. This action resets the token. Existing keys will be overwritten and will no longer be available.
Open DigiCert® Software Trust Manager Apple client.
Use the DigiCert® Software Trust Manager Apple client to sync the certificate to your Mac OS.
Select Fetch keypairs to retrieve all keypairs with a valid certificate from DigiCert® Software Trust Manager .
Select Add new token to add a virtual token named "DigiCert.TokenExtension:SSM0123456789" to the MacOS.
Select one or more keypairs from the table.
Select Set selected keys to token to make the keys available to your Mac OS via the token. This allows Apple apps that are DigiCert® Software Trust Manager Apple client-aware to consume the keys.
Use one of the following commands to verify that the keypair has been added to the token:
List command
security list-smartcard
List sample response
DigiCert.TokenExtension:SSM0123456789
Export command
security export-smartcard
Export sample response
==== private key #1 crtr : 0 esiz : 0 decr : 0 persistref : <> atag : "" kcls : 1 agrp : "com.apple.token" pdmn : "dk" bsiz : 2,048 type : 42 klbl : <a8 66 8a 71 55 eb 1f 4a 89 22 3b 12 f1 53 a7 b5 a7 98 4c 8a> edat : 2001-01-01 00:00:00 +0000 sign : 1 mdat : 2022-01-20 05:43:35 +0000 drve : 0 labl : "Developer ID Installer: DigiCert Inc (DHPK4B64QS)" sync : 0 musr : <> sha1 : <3b 46 36 61 77 72 20 82 64 93 ca 27 3d d8 3d 28 bd f8 ef 84> cdat : 2022-01-20 05:43:35 +0000 tkid : "DigiCert.TokenExtension:SSM0123456789" sdat : 2001-01-01 00:00:00 +0000 tomb : 0 priv : 1 accc : constraints: { ock : "NONE", osgn : "NONE", ord : "NONE", od : "NONE" } protection: { tkid : "DigiCert.TokenExtension:SSM0123456789" } unwp : 0 ==== ==== private key #2 crtr : 0 esiz : 0 decr : 0 persistref : <> atag : "" kcls : 1 agrp : "com.apple.token" pdmn : "dk" bsiz : 2,048 type : 42 klbl : <11 66 33 2b 72 40 bd b9 19 cc 83 70 d4 e5 29 65 9f d5 f8 dd> edat : 2001-01-01 00:00:00 +0000 sign : 1 mdat : 2022-01-20 05:43:35 +0000 drve : 0 labl : "Apple Development: sagar.choudhari@digicert.com (NH6X97J5CU)" sync : 0 musr : <> sha1 : <b3 5b c2 8d c1 0c 7e c4 aa aa f8 e1 ce 2d 7e 25 94 2d 88 79> cdat : 2022-01-20 05:43:35 +0000 tkid : "DigiCert.TokenExtension:SSM0123456789" sdat : 2001-01-01 00:00:00 +0000 tomb : 0 priv : 1 accc : constraints: { ock : "NONE", osgn : "NONE", ord : "NONE", od : "NONE" } protection: { tkid : "DigiCert.TokenExtension:SSM0123456789" } unwp : 0 ==== ==== identity #1 class : "idnt" slnr : <54 79 df 37 c1 24 fb 57> certdata : <CFData 0x7f8202808c00 [0x7fff803712d0]>{length = 1453, capacity = 1453, bytes = 0x308205a930820491a003020102020854 ... 3f14cddd089f2e42} certtkid : "DigiCert.TokenExtension:SSM0123456789" priv : 1 ctyp : 3 mdat : 2022-01-20 05:43:35 +0000 sdat : 2001-01-01 00:00:00 +0000 bsiz : 2,048 type : 42 sha1 : <1e 50 02 96 93 92 2d 2f 7e fc f7 54 88 18 9c 49 ed 3b f0 bb> pkhh : <a8 66 8a 71 55 eb 1f 4a 89 22 3b 12 f1 53 a7 b5 a7 98 4c 8a> cdat : 2022-01-20 05:43:35 +0000 skid : <a8 66 8a 71 55 eb 1f 4a 89 22 3b 12 f1 53 a7 b5 a7 98 4c 8a> tomb : 0 UUID : "0DB21CE5-D9A4-4BD9-9D62-98AA90D98709" persistref : <> accc : constraints: { ock : "NONE", osgn : "NONE", ord : "NONE", od : "NONE" } protection: { tkid : "DigiCert.TokenExtension:SSM0123456789" } sync : 0 tkid : "DigiCert.TokenExtension:SSM0123456789" pdmn : "dk" musr : <> subj : <31 1a 30 18 06 0a 09 92 26 89 93 f2 2c 64 01 01 0c 0a 44 48 50 4b 34 42 36 34 51 53 31 3d 30 3b 06 03 55 04 03 0c 34 44 65 76 65 6c 6f 70 65 72 20 49 44 20 49 6e 73 74 61 6c 6c 65 72 3a 20 52 6f 73 65 6d 61 72 79 20 54 68 6f 6d 61 73 20 28 44 48 50 4b 34 42 36 34 51 53 29 31 13 30 11 06 03 55 04 0b 0c 0a 44 48 50 4b 34 42 36 34 51 53 31 18 30 16 06 03 55 04 0a 0c 0f 52 6f 73 65 6d 61 72 79 20 54 68 6f 6d 61 73 31 0b 30 09 06 03 55 04 06 13 02 55 53> sign : 1 esiz : 0 decr : 0 atag : "" edat : 2001-01-01 00:00:00 +0000 klbl : <a8 66 8a 71 55 eb 1f 4a 89 22 3b 12 f1 53 a7 b5 a7 98 4c 8a> crtr : 0 unwp : 0 issr : <31 2d 30 2b 06 03 55 04 03 0c 24 44 65 76 65 6c 6f 70 65 72 20 49 44 20 43 65 72 74 69 66 69 63 61 74 69 6f 6e 20 41 75 74 68 6f 72 69 74 79 31 26 30 24 06 03 55 04 0b 0c 1d 41 70 70 6c 65 20 43 65 72 74 69 66 69 63 61 74 69 6f 6e 20 41 75 74 68 6f 72 69 74 79 31 13 30 11 06 03 55 04 0a 0c 0a 41 70 70 6c 65 20 49 6e 63 2e 31 0b 30 09 06 03 55 04 06 13 02 55 53> cenc : 3 kcls : 1 agrp : "com.apple.token" labl : "MacAppDistribution_Automation_AppleProductSigner_Approval_Requested_WIN_THE_CUSTOMER_LLC" drve : 0 ==== ==== identity #2 class : "idnt" slnr : <64 53 07 40 be 0b 9b f8 19 d4 88 7a 51 0a 5a 05> certdata : <CFData 0x7f81ff81c800 [0x7fff803712d0]>{length = 1501, capacity = 1501, bytes = 0x308205d9308204c1a003020102021064 ... 5583bcec59e83eaf} certtkid : "DigiCert.TokenExtension:SSM0123456789" priv : 1 ctyp : 3 mdat : 2022-01-20 05:43:35 +0000 sdat : 2001-01-01 00:00:00 +0000 bsiz : 2,048 type : 42 sha1 : <dd 9a af 0f aa ab d3 69 4f 6a 2a 3b 59 54 d3 83 e3 3b 19 ab> pkhh : <11 66 33 2b 72 40 bd b9 19 cc 83 70 d4 e5 29 65 9f d5 f8 dd> cdat : 2022-01-20 05:43:35 +0000 skid : <11 66 33 2b 72 40 bd b9 19 cc 83 70 d4 e5 29 65 9f d5 f8 dd> tomb : 0 UUID : "C46C1945-7642-4186-B6D3-427CB2DD06DD" persistref : <> accc : constraints: { ock : "NONE", osgn : "NONE", ord : "NONE", od : "NONE" } protection: { tkid : "DigiCert.TokenExtension:SSM0123456789" } sync : 0 tkid : "DigiCert.TokenExtension:SSM0123456789" pdmn : "dk" musr : <> subj : <31 1a 30 18 06 0a 09 92 26 89 93 f2 2c 64 01 01 0c 0a 39 38 5a 32 50 46 4c 55 36 47 31 45 30 43 06 03 55 04 03 0c 3c 41 70 70 6c 65 20 44 65 76 65 6c 6f 70 6d 65 6e 74 3a 20 73 61 67 61 72 2e 63 68 6f 75 64 68 61 72 69 40 64 69 67 69 63 65 72 74 2e 63 6f 6d 20 28 4e 48 36 58 39 37 4a 35 43 55 29 31 13 30 11 06 03 55 04 0b 0c 0a 46 34 41 4c 59 44 4a 39 59 4e 31 18 30 16 06 03 55 04 0a 0c 0f 53 61 67 61 72 20 43 68 6f 75 64 68 61 72 69 31 0b 30 09 06 03 55 04 06 13 02 55 53> sign : 1 esiz : 0 decr : 0 atag : "" edat : 2001-01-01 00:00:00 +0000 klbl : <11 66 33 2b 72 40 bd b9 19 cc 83 70 d4 e5 29 65 9f d5 f8 dd> crtr : 0 unwp : 0 issr : <31 44 30 42 06 03 55 04 03 0c 3b 41 70 70 6c 65 20 57 6f 72 6c 64 77 69 64 65 20 44 65 76 65 6c 6f 70 65 72 20 52 65 6c 61 74 69 6f 6e 73 20 43 65 72 74 69 66 69 63 61 74 69 6f 6e 20 41 75 74 68 6f 72 69 74 79 31 0b 30 09 06 03 55 04 0b 0c 02 47 33 31 13 30 11 06 03 55 04 0a 0c 0a 41 70 70 6c 65 20 49 6e 63 2e 31 0b 30 09 06 03 55 04 06 13 02 55 53> cenc : 3 kcls : 1 agrp : "com.apple.token" labl : "apple_key" drve : 0 ==== ==== certificate #1 class : "cert" subj : <31 1a 30 18 06 0a 09 92 26 89 93 f2 2c 64 01 01 0c 0a 39 38 5a 32 50 46 4c 55 36 47 31 45 30 43 06 03 55 04 03 0c 3c 41 70 70 6c 65 20 44 65 76 65 6c 6f 70 6d 65 6e 74 3a 20 73 61 67 61 72 2e 63 68 6f 75 64 68 61 72 69 40 64 69 67 69 63 65 72 74 2e 63 6f 6d 20 28 4e 48 36 58 39 37 4a 35 43 55 29 31 13 30 11 06 03 55 04 0b 0c 0a 46 34 41 4c 59 44 4a 39 59 4e 31 18 30 16 06 03 55 04 0a 0c 0f 53 61 67 61 72 20 43 68 6f 75 64 68 61 72 69 31 0b 30 09 06 03 55 04 06 13 02 55 53> cenc : 3 ctyp : 3 pkhh : <11 66 33 2b 72 40 bd b9 19 cc 83 70 d4 e5 29 65 9f d5 f8 dd> persistref : <> agrp : "com.apple.token" pdmn : "dk" labl : "apple_key" UUID : "C46C1945-7642-4186-B6D3-427CB2DD06DD" mdat : 2022-01-20 05:43:35 +0000 slnr : <64 53 07 40 be 0b 9b f8 19 d4 88 7a 51 0a 5a 05> sync : 0 sha1 : <dd 9a af 0f aa ab d3 69 4f 6a 2a 3b 59 54 d3 83 e3 3b 19 ab> tkid : "DigiCert.TokenExtension:SSM0123456789" musr : <> cdat : 2022-01-20 05:43:35 +0000 tomb : 0 skid : <11 66 33 2b 72 40 bd b9 19 cc 83 70 d4 e5 29 65 9f d5 f8 dd> issr : <31 44 30 42 06 03 55 04 03 0c 3b 41 70 70 6c 65 20 57 6f 72 6c 64 77 69 64 65 20 44 65 76 65 6c 6f 70 65 72 20 52 65 6c 61 74 69 6f 6e 73 20 43 65 72 74 69 66 69 63 61 74 69 6f 6e 20 41 75 74 68 6f 72 69 74 79 31 0b 30 09 06 03 55 04 0b 0c 02 47 33 31 13 30 11 06 03 55 04 0a 0c 0a 41 70 70 6c 65 20 49 6e 63 2e 31 0b 30 09 06 03 55 04 06 13 02 55 53> accc : constraints: { ord : true } protection: { tkid : "DigiCert.TokenExtension:SSM0123456789" } ==== ==== certificate #2 class : "cert" subj : <31 1a 30 18 06 0a 09 92 26 89 93 f2 2c 64 01 01 0c 0a 44 48 50 4b 34 42 36 34 51 53 31 3d 30 3b 06 03 55 04 03 0c 34 44 65 76 65 6c 6f 70 65 72 20 49 44 20 49 6e 73 74 61 6c 6c 65 72 3a 20 52 6f 73 65 6d 61 72 79 20 54 68 6f 6d 61 73 20 28 44 48 50 4b 34 42 36 34 51 53 29 31 13 30 11 06 03 55 04 0b 0c 0a 44 48 50 4b 34 42 36 34 51 53 31 18 30 16 06 03 55 04 0a 0c 0f 52 6f 73 65 6d 61 72 79 20 54 68 6f 6d 61 73 31 0b 30 09 06 03 55 04 06 13 02 55 53> cenc : 3 ctyp : 3 pkhh : <a8 66 8a 71 55 eb 1f 4a 89 22 3b 12 f1 53 a7 b5 a7 98 4c 8a> persistref : <> agrp : "com.apple.token" pdmn : "dk" labl : "MacAppDistribution_Automation_AppleProductSigner_Approval_Requested_WIN_THE_CUSTOMER_LLC" UUID : "0DB21CE5-D9A4-4BD9-9D62-98AA90D98709" mdat : 2022-01-20 05:43:35 +0000 slnr : <54 79 df 37 c1 24 fb 57> sync : 0 sha1 : <1e 50 02 96 93 92 2d 2f 7e fc f7 54 88 18 9c 49 ed 3b f0 bb> tkid : "DigiCert.TokenExtension:SSM0123456789" musr : <> cdat : 2022-01-20 05:43:35 +0000 tomb : 0 skid : <a8 66 8a 71 55 eb 1f 4a 89 22 3b 12 f1 53 a7 b5 a7 98 4c 8a> issr : <31 2d 30 2b 06 03 55 04 03 0c 24 44 65 76 65 6c 6f 70 65 72 20 49 44 20 43 65 72 74 69 66 69 63 61 74 69 6f 6e 20 41 75 74 68 6f 72 69 74 79 31 26 30 24 06 03 55 04 0b 0c 1d 41 70 70 6c 65 20 43 65 72 74 69 66 69 63 61 74 69 6f 6e 20 41 75 74 68 6f 72 69 74 79 31 13 30 11 06 03 55 04 0a 0c 0a 41 70 70 6c 65 20 49 6e 63 2e 31 0b 30 09 06 03 55 04 06 13 02 55 53> accc : constraints: { ord : true } protection: { tkid : "DigiCert.TokenExtension:SSM0123456789" }
Workaround for test keypairs and certificates
Opmerking
Software Trust Manager does not allow the import of test certificates. The following workaround allows you to use test keypairs and certificates issued in Software Trust Manager.
Seeing as these certificates are not issued by Apple, signing will work with codesign but not productsign.
To create a test certificate and add the hierarchy of the certificate to the Apple Keychain:
Create a Test keypair and default certificate in Software Trust Manager.
Download the ICA and CA of the certificate from CA Manager.
Double click on the Root certificate to add it to the Apple keychain.
Double click on the ICA certificate to add it to the Apple keychain.
Open Keychain Access.
Double click on the certificate and select Trust so the certificate is Trusted.
When using non-Apple issued certificates, follow the steps below before signing. The following procedure guides you through how use the OpenSSL -legacy
flag available on OpenSSL version 3.x to convert your DigiCert ONE client authentication certificate to cert.pem and then convert it into a PKCS#12 certificate which is readable with LibreSSL and therefore compatible with Apple Keychain.
Confirm which OpenSSL version you're using:
OpenSSL version
Opmerking
If the output is LibreSSL, continue with the steps below on the machine with OpenSSL 3.x installed.
Convert the certificate from .p12 to .pem:
openssl pkcs12 -in cert.p12 -out cert.pem
Create a new .cert file:
Copy the contents of the .pem file from
-----BEGIN CERTIFICATE-----
to-----END CERTIFICATE-----
.Paste the contents into a plain text editor or IDE.
Save the file as certname.crt.
Create a new .key:
Copy the contents of the .pem file from
-----BEGIN ENCRYPTED PRIVATE KEY-----
to-----END ENCRYPTED PRIVATE KEY-----
.Paste the contents into a plain text editor or IDE.
Save the file as encrypted.key.
Decrypt the encrypted .key file:
openssl rsa -in encrypted.key -out decryptedKey.key
Run the following command to create a certificate file compatible with Ventura and Sonoma OS:
Link the decrypted private key (decryptedKey.key) and its associated X.509 certificate (certname.crt), and export them as a PKCS#12 file (newcert.pfx):
openssl pkcs12 -inkey decryptedKey.key -in certname.crt -export -legacy -out newcert.pfx
Save newcert.pfx in the environment variables of the CTK.
Save newcert.pfx password in the environment variables of the CTK.
Tip
You can now use the same codesign commands as an Apple issued certificate.