Skip to main content

Apple certificate procedure

Apple must issue the end-entity certificate so that the Apple ecosystem trusts your signed binary. You must store this certificate in DigiCert​​®​​ Software Trust Manager along with your keypair, both for safekeeping and to allow for Apple signing using Software Trust Manager . Software Trust Manager allows you to sync the Apple certificate to your Apple OS for signing with our Apple signing workflows while storing your private key safely.

Store your keypair and certificate in Software Trust Manager only. Delete local copies of the private key outside of Software Trust Manager.

Tip

The Apple certificate procedure expects the keypair to meet the following requirements:

  • Algorithm: RSA

  • Key size: 2048

  • Keypair category: Production

  • Keypair type: Static

However, we have provided a workaround for using test certificates, but test certificates only allow you to sign with codesign.

Prerequisites

  • CryptoTokenKit

  • Create a keypair in Software Trust Manager or import a keypair into Software Trust Manager

  • Generate a CSR for the keypair stored in Software Trust Manager

  • Apple developer username and password

Let's begin

Our Apple signing client (CryptoTokenKit) signs using a keypair stored in Software Trust Manager .

Below are two options to store your keypair in Software Trust Manager:

Create new keypair in Software Trust Manager

  1. Sign in to DigiCert ONE.

  2. Select the Manager menu (top right) > Software Trust.

  3. Navigate to: Keypairs > Create keypair.

  4. Complete the following fields:

    Field

    Description

    Keypair type

    Select Static (keypair will remain the same) or Dynamic (keypair will change every time you complete a signature).

    Keypair alias

    Name to uniquely identify this keypair.

    Team

    Select a team that should have access to this keypair. You will only see this field if you enable Teams under Account settings.

    Keypair profile

    Select a keypair profile. If you have selected a team. you will only see keypair profiles allocated to that team.

    Algorithm

    Select RSA.

    Key size

    Select 2048.

    Keypair category

    Select Production.

    Keypair storage

    Select one of the following key storage methods:

    • SoftHSM

    • HSM

    • Disk

    Keypair storage provide the following security levels:

    • Level 3

      Key is stored in an HSM that is CA/B compliant. This storage method is FIPS 140-2 Level 2, Common Criteria EAL4+, an equivalent or higher, and therefore is compatible with publicly or privately trusted certificates.

    • Level 2

      Key is stored in an HSM with a certification is lower than level 3. This storage is only compatible for privately trusted certificates.

    • Level 1

      Key is stored in an uncertified but secure softHSM. This storage is only compatible for privately trusted certificates.

    Opmerking

    To use use DPoD HSM storage, DPoD must be set up in CA Manager and enabled for your account.

    Keypair status

    Select Online to generate a keypair that can be used to sign at any time.

    Select Offline to generate a keypair that can only be used to sign during a release window.

    Access

    Select Open to allow any user within your account access to the keypair.

    Select Restricted to limit access to the keypair to specified users, user group, or team.

    Allowed users

    For Restricted keypairs, you can specify which users can use the keypair.

    Allowed user groups

    For Restricted keypairs, you can specify one or more groups that are authorized to use the keypair.

    Generate certificate

    Select this box to generate a keypair with a corresponding default certificate.

    Tip

    The certificate is required for CSR generation with keytool.

  5. Click Create keypair.

Import keypair

You require the Import keypair permission to import a certificate.

To import a keypair:

  1. Sign in to DigiCert ONE.

  2. Select the Manager menu (top right) > Software Trust.

  3. Navigate to: Keypairs > Import keypair.

  4. Select Upload PEM.

Request Apple certificate

You will need a specific certificate type for different signing use cases. Refer to the certificate types table.

  1. Sign in to your Apple developer account.

  2. Select Certificates, IDs and Profiles.

  3. Review Certificate types supported by Apple to identify the certificate you require.

  4. Use the CSR created above to order your certificate from Apple.

  5. Download Apple certificate.

Import Apple certificate

  1. Navigate to DigiCert​​®​​ Software Trust Manager  > Keypairs.

  2. Select the menu icon next to keypair alias. Select Import certificate.

  3. Select the checkbox to make this Apple certificate the default certificate.

  4. Upload the Apple certificate.

Sync the Apple certificate to your macOS

Select all the keypairs you require for future signing before clicking “Set selected keys to token”. This action resets the token. Existing keys will be overwritten and will no longer be available.

  1. Open DigiCert​​®​​ Software Trust Manager Apple client.

  2. Use the DigiCert​​®​​ Software Trust Manager Apple client to sync the certificate to your Mac OS.

    1. Select Fetch keypairs to retrieve all keypairs with a valid certificate from DigiCert​​®​​ Software Trust Manager .

    2. Select Add new token to add a virtual token named "DigiCert.TokenExtension:SSM0123456789" to the MacOS.

    3. Select one or more keypairs from the table.

    4. Select Set selected keys to token to make the keys available to your Mac OS via the token. This allows Apple apps that are DigiCert​​®​​ Software Trust Manager Apple client-aware to consume the keys.

    5. Use one of the following commands to verify that the keypair has been added to the token:

      • List command security list-smartcard

      • List sample response DigiCert.TokenExtension:SSM0123456789

      • Export command security export-smartcard

      • Export sample response

        ==== private key #1
             crtr : 0
             esiz : 0
             decr : 0
             persistref : <>
             atag : ""
             kcls : 1
             agrp : "com.apple.token"
             pdmn : "dk"
             bsiz : 2,048
             type : 42
             klbl : <a8 66 8a 71 55 eb 1f 4a 89 22 3b 12 f1 53 a7 b5 a7 98 4c 8a>
             edat : 2001-01-01 00:00:00 +0000
             sign : 1
             mdat : 2022-01-20 05:43:35 +0000
             drve : 0
             labl : "Developer ID Installer: DigiCert Inc (DHPK4B64QS)"
             sync : 0
             musr : <>
             sha1 : <3b 46 36 61 77 72 20 82 64 93 ca 27 3d d8 3d 28 bd f8 ef 84>
             cdat : 2022-01-20 05:43:35 +0000
             tkid : "DigiCert.TokenExtension:SSM0123456789"
             sdat : 2001-01-01 00:00:00 +0000
             tomb : 0
             priv : 1
             accc : constraints: {
                      ock : "NONE",
                      osgn : "NONE",
                      ord : "NONE",
                      od : "NONE"
                  }
                  protection: {
                      tkid : "DigiCert.TokenExtension:SSM0123456789"
                  }
             unwp : 0
        ====
        
        ==== private key #2
             crtr : 0
             esiz : 0
             decr : 0
             persistref : <>
             atag : ""
             kcls : 1
             agrp : "com.apple.token"
             pdmn : "dk"
             bsiz : 2,048
             type : 42
             klbl : <11 66 33 2b 72 40 bd b9 19 cc 83 70 d4 e5 29 65 9f d5 f8 dd>
             edat : 2001-01-01 00:00:00 +0000
             sign : 1
             mdat : 2022-01-20 05:43:35 +0000
             drve : 0
             labl : "Apple Development: sagar.choudhari@digicert.com (NH6X97J5CU)"
             sync : 0
             musr : <>
             sha1 : <b3 5b c2 8d c1 0c 7e c4 aa aa f8 e1 ce 2d 7e 25 94 2d 88 79>
             cdat : 2022-01-20 05:43:35 +0000
             tkid : "DigiCert.TokenExtension:SSM0123456789"
             sdat : 2001-01-01 00:00:00 +0000
             tomb : 0
             priv : 1
             accc : constraints: {
                      ock : "NONE",
                      osgn : "NONE",
                      ord : "NONE",
                      od : "NONE"
                  }
                  protection: {
                      tkid : "DigiCert.TokenExtension:SSM0123456789"
                  }
             unwp : 0
        ====
        
        ==== identity #1
             class : "idnt"
             slnr : <54 79 df 37 c1 24 fb 57>
             certdata : <CFData 0x7f8202808c00 [0x7fff803712d0]>{length = 1453, capacity = 1453, bytes = 0x308205a930820491a003020102020854 ... 3f14cddd089f2e42}
             certtkid : "DigiCert.TokenExtension:SSM0123456789"
             priv : 1
             ctyp : 3
             mdat : 2022-01-20 05:43:35 +0000
             sdat : 2001-01-01 00:00:00 +0000
             bsiz : 2,048
             type : 42
             sha1 : <1e 50 02 96 93 92 2d 2f 7e fc f7 54 88 18 9c 49 ed 3b f0 bb>
             pkhh : <a8 66 8a 71 55 eb 1f 4a 89 22 3b 12 f1 53 a7 b5 a7 98 4c 8a>
             cdat : 2022-01-20 05:43:35 +0000
             skid : <a8 66 8a 71 55 eb 1f 4a 89 22 3b 12 f1 53 a7 b5 a7 98 4c 8a>
             tomb : 0
             UUID : "0DB21CE5-D9A4-4BD9-9D62-98AA90D98709"
             persistref : <>
             accc : constraints: {
                      ock : "NONE",
                      osgn : "NONE",
                      ord : "NONE",
                      od : "NONE"
                  }
                  protection: {
                      tkid : "DigiCert.TokenExtension:SSM0123456789"
                  }
             sync : 0
             tkid : "DigiCert.TokenExtension:SSM0123456789"
             pdmn : "dk"
             musr : <>
             subj : <31 1a 30 18 06 0a 09 92 26 89 93 f2 2c 64 01 01 0c 0a 44 48 50 4b 34 42 36 34 51 53 31 3d 30 3b 06 03 55 04 03 0c 34 44 65 76 65 6c 6f 70 65 72 20 49 44 20 49 6e 73 74 61 6c 6c 65 72 3a 20 52 6f 73 65 6d 61 72 79 20 54 68 6f 6d 61 73 20 28 44 48 50 4b 34 42 36 34 51 53 29 31 13 30 11 06 03 55 04 0b 0c 0a 44 48 50 4b 34 42 36 34 51 53 31 18 30 16 06 03 55 04 0a 0c 0f 52 6f 73 65 6d 61 72 79 20 54 68 6f 6d 61 73 31 0b 30 09 06 03 55 04 06 13 02 55 53>
             sign : 1
             esiz : 0
             decr : 0
             atag : ""
             edat : 2001-01-01 00:00:00 +0000
             klbl : <a8 66 8a 71 55 eb 1f 4a 89 22 3b 12 f1 53 a7 b5 a7 98 4c 8a>
             crtr : 0
             unwp : 0
             issr : <31 2d 30 2b 06 03 55 04 03 0c 24 44 65 76 65 6c 6f 70 65 72 20 49 44 20 43 65 72 74 69 66 69 63 61 74 69 6f 6e 20 41 75 74 68 6f 72 69 74 79 31 26 30 24 06 03 55 04 0b 0c 1d 41 70 70 6c 65 20 43 65 72 74 69 66 69 63 61 74 69 6f 6e 20 41 75 74 68 6f 72 69 74 79 31 13 30 11 06 03 55 04 0a 0c 0a 41 70 70 6c 65 20 49 6e 63 2e 31 0b 30 09 06 03 55 04 06 13 02 55 53>
             cenc : 3
             kcls : 1
             agrp : "com.apple.token"
             labl : "MacAppDistribution_Automation_AppleProductSigner_Approval_Requested_WIN_THE_CUSTOMER_LLC"
             drve : 0
        ====
        
        ==== identity #2
             class : "idnt"
             slnr : <64 53 07 40 be 0b 9b f8 19 d4 88 7a 51 0a 5a 05>
             certdata : <CFData 0x7f81ff81c800 [0x7fff803712d0]>{length = 1501, capacity = 1501, bytes = 0x308205d9308204c1a003020102021064 ... 5583bcec59e83eaf}
             certtkid : "DigiCert.TokenExtension:SSM0123456789"
             priv : 1
             ctyp : 3
             mdat : 2022-01-20 05:43:35 +0000
             sdat : 2001-01-01 00:00:00 +0000
             bsiz : 2,048
             type : 42
             sha1 : <dd 9a af 0f aa ab d3 69 4f 6a 2a 3b 59 54 d3 83 e3 3b 19 ab>
             pkhh : <11 66 33 2b 72 40 bd b9 19 cc 83 70 d4 e5 29 65 9f d5 f8 dd>
             cdat : 2022-01-20 05:43:35 +0000
             skid : <11 66 33 2b 72 40 bd b9 19 cc 83 70 d4 e5 29 65 9f d5 f8 dd>
             tomb : 0
             UUID : "C46C1945-7642-4186-B6D3-427CB2DD06DD"
             persistref : <>
             accc : constraints: {
                      ock : "NONE",
                      osgn : "NONE",
                      ord : "NONE",
                      od : "NONE"
                  }
                  protection: {
                      tkid : "DigiCert.TokenExtension:SSM0123456789"
                  }
             sync : 0
             tkid : "DigiCert.TokenExtension:SSM0123456789"
             pdmn : "dk"
             musr : <>
             subj : <31 1a 30 18 06 0a 09 92 26 89 93 f2 2c 64 01 01 0c 0a 39 38 5a 32 50 46 4c 55 36 47 31 45 30 43 06 03 55 04 03 0c 3c 41 70 70 6c 65 20 44 65 76 65 6c 6f 70 6d 65 6e 74 3a 20 73 61 67 61 72 2e 63 68 6f 75 64 68 61 72 69 40 64 69 67 69 63 65 72 74 2e 63 6f 6d 20 28 4e 48 36 58 39 37 4a 35 43 55 29 31 13 30 11 06 03 55 04 0b 0c 0a 46 34 41 4c 59 44 4a 39 59 4e 31 18 30 16 06 03 55 04 0a 0c 0f 53 61 67 61 72 20 43 68 6f 75 64 68 61 72 69 31 0b 30 09 06 03 55 04 06 13 02 55 53>
             sign : 1
             esiz : 0
             decr : 0
             atag : ""
             edat : 2001-01-01 00:00:00 +0000
             klbl : <11 66 33 2b 72 40 bd b9 19 cc 83 70 d4 e5 29 65 9f d5 f8 dd>
             crtr : 0
             unwp : 0
             issr : <31 44 30 42 06 03 55 04 03 0c 3b 41 70 70 6c 65 20 57 6f 72 6c 64 77 69 64 65 20 44 65 76 65 6c 6f 70 65 72 20 52 65 6c 61 74 69 6f 6e 73 20 43 65 72 74 69 66 69 63 61 74 69 6f 6e 20 41 75 74 68 6f 72 69 74 79 31 0b 30 09 06 03 55 04 0b 0c 02 47 33 31 13 30 11 06 03 55 04 0a 0c 0a 41 70 70 6c 65 20 49 6e 63 2e 31 0b 30 09 06 03 55 04 06 13 02 55 53>
             cenc : 3
             kcls : 1
             agrp : "com.apple.token"
             labl : "apple_key"
             drve : 0
        ====
        
        ==== certificate #1
             class : "cert"
             subj : <31 1a 30 18 06 0a 09 92 26 89 93 f2 2c 64 01 01 0c 0a 39 38 5a 32 50 46 4c 55 36 47 31 45 30 43 06 03 55 04 03 0c 3c 41 70 70 6c 65 20 44 65 76 65 6c 6f 70 6d 65 6e 74 3a 20 73 61 67 61 72 2e 63 68 6f 75 64 68 61 72 69 40 64 69 67 69 63 65 72 74 2e 63 6f 6d 20 28 4e 48 36 58 39 37 4a 35 43 55 29 31 13 30 11 06 03 55 04 0b 0c 0a 46 34 41 4c 59 44 4a 39 59 4e 31 18 30 16 06 03 55 04 0a 0c 0f 53 61 67 61 72 20 43 68 6f 75 64 68 61 72 69 31 0b 30 09 06 03 55 04 06 13 02 55 53>
             cenc : 3
             ctyp : 3
             pkhh : <11 66 33 2b 72 40 bd b9 19 cc 83 70 d4 e5 29 65 9f d5 f8 dd>
             persistref : <>
             agrp : "com.apple.token"
             pdmn : "dk"
             labl : "apple_key"
             UUID : "C46C1945-7642-4186-B6D3-427CB2DD06DD"
             mdat : 2022-01-20 05:43:35 +0000
             slnr : <64 53 07 40 be 0b 9b f8 19 d4 88 7a 51 0a 5a 05>
             sync : 0
             sha1 : <dd 9a af 0f aa ab d3 69 4f 6a 2a 3b 59 54 d3 83 e3 3b 19 ab>
             tkid : "DigiCert.TokenExtension:SSM0123456789"
             musr : <>
             cdat : 2022-01-20 05:43:35 +0000
             tomb : 0
             skid : <11 66 33 2b 72 40 bd b9 19 cc 83 70 d4 e5 29 65 9f d5 f8 dd>
             issr : <31 44 30 42 06 03 55 04 03 0c 3b 41 70 70 6c 65 20 57 6f 72 6c 64 77 69 64 65 20 44 65 76 65 6c 6f 70 65 72 20 52 65 6c 61 74 69 6f 6e 73 20 43 65 72 74 69 66 69 63 61 74 69 6f 6e 20 41 75 74 68 6f 72 69 74 79 31 0b 30 09 06 03 55 04 0b 0c 02 47 33 31 13 30 11 06 03 55 04 0a 0c 0a 41 70 70 6c 65 20 49 6e 63 2e 31 0b 30 09 06 03 55 04 06 13 02 55 53>
             accc : constraints: {
                      ord : true
                  }
                  protection: {
                      tkid : "DigiCert.TokenExtension:SSM0123456789"
                  }
        ====
        
        ==== certificate #2
             class : "cert"
             subj : <31 1a 30 18 06 0a 09 92 26 89 93 f2 2c 64 01 01 0c 0a 44 48 50 4b 34 42 36 34 51 53 31 3d 30 3b 06 03 55 04 03 0c 34 44 65 76 65 6c 6f 70 65 72 20 49 44 20 49 6e 73 74 61 6c 6c 65 72 3a 20 52 6f 73 65 6d 61 72 79 20 54 68 6f 6d 61 73 20 28 44 48 50 4b 34 42 36 34 51 53 29 31 13 30 11 06 03 55 04 0b 0c 0a 44 48 50 4b 34 42 36 34 51 53 31 18 30 16 06 03 55 04 0a 0c 0f 52 6f 73 65 6d 61 72 79 20 54 68 6f 6d 61 73 31 0b 30 09 06 03 55 04 06 13 02 55 53>
             cenc : 3
             ctyp : 3
             pkhh : <a8 66 8a 71 55 eb 1f 4a 89 22 3b 12 f1 53 a7 b5 a7 98 4c 8a>
             persistref : <>
             agrp : "com.apple.token"
             pdmn : "dk"
             labl : "MacAppDistribution_Automation_AppleProductSigner_Approval_Requested_WIN_THE_CUSTOMER_LLC"
             UUID : "0DB21CE5-D9A4-4BD9-9D62-98AA90D98709"
             mdat : 2022-01-20 05:43:35 +0000
             slnr : <54 79 df 37 c1 24 fb 57>
             sync : 0
             sha1 : <1e 50 02 96 93 92 2d 2f 7e fc f7 54 88 18 9c 49 ed 3b f0 bb>
             tkid : "DigiCert.TokenExtension:SSM0123456789"
             musr : <>
             cdat : 2022-01-20 05:43:35 +0000
             tomb : 0
             skid : <a8 66 8a 71 55 eb 1f 4a 89 22 3b 12 f1 53 a7 b5 a7 98 4c 8a>
             issr : <31 2d 30 2b 06 03 55 04 03 0c 24 44 65 76 65 6c 6f 70 65 72 20 49 44 20 43 65 72 74 69 66 69 63 61 74 69 6f 6e 20 41 75 74 68 6f 72 69 74 79 31 26 30 24 06 03 55 04 0b 0c 1d 41 70 70 6c 65 20 43 65 72 74 69 66 69 63 61 74 69 6f 6e 20 41 75 74 68 6f 72 69 74 79 31 13 30 11 06 03 55 04 0a 0c 0a 41 70 70 6c 65 20 49 6e 63 2e 31 0b 30 09 06 03 55 04 06 13 02 55 53>
             accc : constraints: {
                      ord : true
                  }
                  protection: {
                      tkid : "DigiCert.TokenExtension:SSM0123456789"
                  }

Workaround for test keypairs and certificates

Opmerking

Software Trust Manager does not allow the import of test certificates. The following workaround allows you to use test keypairs and certificates issued in Software Trust Manager.

Seeing as these certificates are not issued by Apple, signing will work with codesign but not productsign.

To create a test certificate and add the hierarchy of the certificate to the Apple Keychain:

  1. Create a Test keypair and default certificate in Software Trust Manager.

  2. Download the ICA and CA of the certificate from CA Manager.

  3. Double click on the Root certificate to add it to the Apple keychain.

  4. Double click on the ICA certificate to add it to the Apple keychain.

  5. Open Keychain Access.

  6. Double click on the certificate and select Trust so the certificate is Trusted.

When using non-Apple issued certificates, follow the steps below before signing. The following procedure guides you through how use the OpenSSL -legacy flag available on OpenSSL version 3.x to convert your DigiCert ONE client authentication certificate to cert.pem and then convert it into a PKCS#12 certificate which is readable with LibreSSL and therefore compatible with Apple Keychain.

  1. Confirm which OpenSSL version you're using:

    OpenSSL version

    Opmerking

    If the output is LibreSSL, continue with the steps below on the machine with OpenSSL 3.x installed.

  2. Convert the certificate from .p12 to .pem:

    openssl pkcs12 -in cert.p12 -out cert.pem
  3. Create a new .cert file:

    1. Copy the contents of the .pem file from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE-----.

    2. Paste the contents into a plain text editor or IDE.

    3. Save the file as certname.crt.

  4. Create a new .key:

    1. Copy the contents of the .pem file from -----BEGIN ENCRYPTED PRIVATE KEY----- to -----END ENCRYPTED PRIVATE KEY-----.

    2. Paste the contents into a plain text editor or IDE.

    3. Save the file as encrypted.key.

  5. Decrypt the encrypted .key file:

    openssl rsa -in encrypted.key -out decryptedKey.key
  6. Run the following command to create a certificate file compatible with Ventura and Sonoma OS:

    1. Link the decrypted private key (decryptedKey.key) and its associated X.509 certificate (certname.crt), and export them as a PKCS#12 file (newcert.pfx):

      openssl pkcs12 -inkey decryptedKey.key -in certname.crt -export -legacy -out  newcert.pfx
    2. Save newcert.pfx in the environment variables of the CTK.

    3. Save newcert.pfx password in the environment variables of the CTK.

Tip

You can now use the same codesign commands as an Apple issued certificate.