Create and revoke Apple Developer certificates

HexSign can issue every certificate type the App Store Connect API supports creating: Apple Development, Apple Distribution, Mac Installer Distribution, Pass Type ID, and Apple Push. The flow is the same for each: pick a type, pick a CSR, and HexSign hands the request to Apple.

Issue a new certificate

1. 1

   Open Certificates and click "New certificate"

   From the Certificates tab in the sidebar, click the New certificate button in the top-right.

2. 2

   Pick a type

   Choose the certificate type that matches what you're signing. App Store builds use Apple Distribution, TestFlight or local testing uses Apple Development, and Mac App Store installers use Mac Installer Distribution.

3. 3

   Pick or generate a CSR

   Either pick an existing CSR from your CSR vault or have HexSign generate a fresh one (the private key is encrypted with a dedicated AWS KMS key).

4. 4

   Submit

   HexSign forwards the request to Apple's API, ingests the resulting .cer, and stores it next to the originating CSR. The new certificate is immediately visible in the dashboard and on the relationship graph.

Download a .p12

HexSign can export the certificate as a password-protected PKCS#12 (.p12) file that pairs the certificate with its private key. Click Download .p12 from the certificate's detail page; HexSign generates a fresh random password and hands you the bundle ready to import into Keychain Access or a CI secret store.

The .p12 download requires that HexSign holds the matching private key. That happens automatically for certificates created through HexSign's New certificate flow. For certificates that were synced from the Apple Developer portal (most commonly Developer ID certificates) you can upload the matching private key on the certificate's detail page. See Upload a private key for a certificate created outside HexSign.

Revoke a certificate

Revoking a certificate tells Apple to mark it invalid. Any provisioning profile that was signed with that certificate becomes invalid until it's regenerated against a new one. HexSign shows the dependent profiles before you confirm so the blast radius is never a surprise.

1. 1

   Open the certificate's detail page

   Click the certificate from the Certificates list or from the relationship graph.

2. 2

   Review dependents

   The detail page lists every provisioning profile that uses this certificate. Decide which need to be regenerated against a replacement certificate before you revoke.

3. 3

   Confirm revocation

   Click Revoke and confirm. HexSign sends the revoke call to Apple and updates the local copy. The certificate stays in the audit log but moves to the revoked filter.