Create Apple Developer Certificates on Windows

Microsoft App Center supports building an iOS application in release mode for devices. This build can then be submitted to the App Store. I have found this useful as I do most of my development on a Windows machine, and then do the final release build on App Center. I recently had an issue, where I was away from my office, meaning I did not have access to the Mac my Windows machine uses for local app builds, setting up Apple Developer certificates / provisioning profiles etc. I needed to do a build in App Center, but the Distribution certificate had expired. I had to renew it, but I only had my Windows system available. As such, I had to figure out how to do this only from Windows. This post is an explanation of that process. 

Generate a Certificate Signing Request (CSR) 

In Windows, open the Start menu, and type in run, then choose to open the Run application. 

In the Run application, type mmc and click OK. This will open the Microsoft Management Console (MMC). You may have to grant permissions first for it to run. 

Once it starts up, click on File -> Add/Remove Snap-In… or press CTRL + M. 

In dialog that appears, select Certificates, then click on Add >.  

In the dialog that appears, select Computer account and click the Next > button. 

Leave Local computer selected and click Finish at the next dialog window. 

You will see Certificates move to the panel on the right. Next click the OK button. 

You will now see Certificates (Local Computer) listed under Console Root. Click on the drop-down arrow to reveal Personal. Click on Personal’s drop-down arrow to reveal Certificates, and then click on Certificates. You will see any currently installed certificates in the panel on the right. 

Right click somewhere in the blank space in the right panel and select All Tasks -> Advanced Operations -> Create Custom Request…

A Wizard dialog will appear. Click Next on the Before You Begin screen. Leave the Custom Request as Proceed without enrolment policy and click Next

You can leave the next screen with its default values as well and click Next

On the overview screen, click the small drop-down to view the request details, and then click on Properties

Under Friendly name, enter something to describe the certificate, then click Subject

Click the dropdown in Subject name to select a subject and fill in the value in the Value text box. Then click Add. You will need to add all the following values: 

  • Common Name (CN): The registered organizational name that the certificate will be issued to and secure. 
  • Organization (O): The registered organizational name the certificate belongs to. If the company or department has an &, @, or any other symbol using the shift key in its name, the symbol must be spelled out or omitted, to enrol. For example: “XY & Z Corporation” would be “XYZ Corporation” or “XY and Z Corporation”. 
  • Organizational Unit (OU): The department within the organization. 
  • State (S): The business registered state or province. Do not abbreviate the state or province name, for example: California not CA. 
  • Locality (L): The business registered location/city (not the actual server location). 
  • Country/region (C): The two letter ISO country code. 

Note: There is example text in the screen recording as it is just for demonstration purposes. You must use the correct values when generating your certificate request. 

Once all the values have been added, click on the Private Key tab. 

Click the dropdown for Key options, set the Key size to 2048 and tick the checkbox for Make private key exportable. Next, click the drop-down for Select Hash Algorithm and change the Hash Algorithm to sha256. Finally, click OK

Back at the Certificate Information screen, click Next

Click Browse and give the file a name and select somewhere to save it. Ensure Base 64 is selected and click Finish

The CSR file will be saved at the file location and with the file name you just set.  

Create the certificate in the Apple Developer portal 

Sign into the Apple Developer portal and click on Certificates, Identifiers & Profiles

Certificates should load first, but if it does not, click on Certificates, and then the blue + icon. 

Select the type of certificate you want to create. For this example, I am choosing Apple Distribution, as that is what is required to distribute apps on the App Store. Next, click on Continue

On the next page, select Choose File and upload the file you previously generated. Then click Continue

On the next page, you will be able to download your certificate. Click the Download button. 

Importing the certificate 

Back in MMC, right-click again in the blank area on the right-hand side window, select All Tasks -> Import…

Click next on the Welcome page, and then select Browse and find the certificate file you downloaded from the Apple Developer portal. Then click Next

Ensure Place all certificates in the following store is set and the Certificate store is set to Personal. Then click Next

On the final screen, click Finish

 You will now see the certificate in your Personal certificate store. 

Exporting the certificate 

You will likely need to export the certificate to use to for signing your application. You should also store a backup of your certificate, together with its private key. 

To export the certificate, right-click on it within MMC and select All Tasks -> Export… 

On the Welcome screen, click Next. Ensure you select Yes, export the private key, and then click Next again. 

Ensure all the following options are selected and then click Next

  • Personal Information Exchange 
  • Include all certificates in the certification path if possible 
  • Export all extended properties 

Select the checkbox to set a password for the private key, enter a password and set the encryption to TripleDES-SHA1, then click Next

 Click Browse and enter a file name and location to save your file. Then click Next 

On the final page, click Finish

You will see the file name will end in .pfx. Some applications require a .p12 file instead. This is the same thing as a .pfx file. So just rename the file and it will work. 

Leave a comment

Your email address will not be published.