Keys & cryptography

PKCS#12 / .p12 file

A password-protected file format that bundles a certificate and its matching private key together. The standard way to move an Apple signing identity between machines.

.p12PKCS12.pfxp12 bundle

PKCS#12 is the cryptographic standard for packaging a certificate together with its matching private key in a single file, encrypted with a password. On Apple platforms the file usually has a .p12 extension; on Windows the same format is called .pfx. It is how teams share or back up an Apple Developer signing identity.

What is inside

The leaf certificate (Apple Development, Apple Distribution, Developer ID, etc.).
The private key that pairs with the certificate's public key.
Optionally, intermediate certificates (the WWDR generation that signed the leaf).
An encryption envelope keyed off the password you set at export time.

Two ways to produce one

Keychain Access: Right-click the certificate, choose Export, pick `.p12`, set a password. Works only on the Mac where the private key lives.
openssl: `openssl pkcs12 -export -out cert.p12 -inkey key.pem -in cert.pem` bundles a certificate and key from PEM files. Useful when the key was generated outside Keychain.

Keep reading

Related terms

Private key

The secret half of a key pair. Whoever holds the private key for a code signing certificate can sign builds as that developer. Lose it and you cannot rotate; leak it and someone else can sign as you.

Read definition

Keychain (macOS)

macOS's built-in encrypted store for passwords, certificates, and private keys. Xcode and codesign read signing identities from it.

Read definition

Code signing certificate

Umbrella term for any Apple-issued certificate used to sign a binary, installer, or push token. Covers Apple Development, Apple Distribution, Developer ID, APNs, Pass Type ID, and Mac Installer certificates.

Read definition

CSR (Certificate Signing Request)

A file containing a public key and team identity, signed with the matching private key. You upload it to Apple to be issued a certificate. The private key never leaves your machine in the process.

Read definition

.p8 file (auth key)

A PEM-encoded private key file used for two specific Apple authentication flows: App Store Connect API keys and APNs auth keys. Has no expiration and no companion certificate.

Read definition

Next step

Help articles on this topic

Generate and store CSRs in the HexSign vault

Generate certificate signing requests with private keys encrypted at rest, or upload your own and reuse them across certificates.

4 min readRead article

Upload a private key for a certificate created outside HexSign

Pair a private key with a certificate you originally issued in the Apple Developer portal (or another tool) so HexSign can export .p12 bundles for it.

4 min readRead article

Run the CLI in CI with machine credentials

Provision a service credential, drop the client ID and secret into your pipeline, and let the CLI swap to machine mode automatically.

5 min readRead article

Notice a definition that has drifted? Email support@hexsign.io and we'll update it. Browse the full glossary or jump to the help center.

Keys & cryptography

PKCS#12 / .p12 file

A password-protected file format that bundles a certificate and its matching private key together. The standard way to move an Apple signing identity between machines.

.p12PKCS12.pfxp12 bundle

What is inside

The leaf certificate (Apple Development, Apple Distribution, Developer ID, etc.).
The private key that pairs with the certificate's public key.
Optionally, intermediate certificates (the WWDR generation that signed the leaf).
An encryption envelope keyed off the password you set at export time.

Two ways to produce one

Keychain Access: Right-click the certificate, choose Export, pick `.p12`, set a password. Works only on the Mac where the private key lives.
openssl: `openssl pkcs12 -export -out cert.p12 -inkey key.pem -in cert.pem` bundles a certificate and key from PEM files. Useful when the key was generated outside Keychain.

Keep reading

Related terms

Private key

The secret half of a key pair. Whoever holds the private key for a code signing certificate can sign builds as that developer. Lose it and you cannot rotate; leak it and someone else can sign as you.

Read definition

Keychain (macOS)

macOS's built-in encrypted store for passwords, certificates, and private keys. Xcode and codesign read signing identities from it.

Read definition

Code signing certificate

Read definition

CSR (Certificate Signing Request)

A file containing a public key and team identity, signed with the matching private key. You upload it to Apple to be issued a certificate. The private key never leaves your machine in the process.

Read definition

.p8 file (auth key)

A PEM-encoded private key file used for two specific Apple authentication flows: App Store Connect API keys and APNs auth keys. Has no expiration and no companion certificate.

Read definition

Next step

Help articles on this topic

Generate and store CSRs in the HexSign vault

Generate certificate signing requests with private keys encrypted at rest, or upload your own and reuse them across certificates.

4 min readRead article

Upload a private key for a certificate created outside HexSign

Pair a private key with a certificate you originally issued in the Apple Developer portal (or another tool) so HexSign can export .p12 bundles for it.

4 min readRead article

Run the CLI in CI with machine credentials

Provision a service credential, drop the client ID and secret into your pipeline, and let the CLI swap to machine mode automatically.

5 min readRead article

Notice a definition that has drifted? Email support@hexsign.io and we'll update it. Browse the full glossary or jump to the help center.