Best IT Recipes

How to manage the expiration of an Enterprise Distribution certificate?

Our client has just joined the iOS Developer Enterprise Program. They signed an application (developed by us) with their Enterprise Distribution and successfully installed it on some devices through MDM.

As far as I know, when my non-enterprise distribution certificate expires, I need to renew it. This expiration disables all applications signed with an expired certificate as soon as devices verify the validity of the certificate on the Apples OCSP server.

Alternatively, I can withdraw my distribution not for enterprises before the expiration date and ask for a new one for Apple. Applications signed with a revoked certificate, such as Ad Hoc beta applications, will be disabled according to the same mechanism.

Thus, with my developer program, I cannot have two valid distribution certificates at the same time. Well, as developers, we can live with it.

Can our client have two valid Enterprise Distribution certificates simultaneously with iOS Developer Enterprise?

According to Apple:

Certificate Verification

When you first open the application on the device, the distribution of the certificate is verified by accessing the Apples OCSP server. If the certificate is revoked, the application is allowed to run. Failure to contact or receive a response from the OCSP server is not interpreted as cancellation. To check the status, the device must be able to ocsp.apple.com. See “Network configuration requirements” (page 9).

The OCSP response is cached on the device for the specified time by the OCSP server - from 3 to 7 days. The validity of the certificate will not be checked again until the device is restarted and the cached response has expired. If the feedback received at that time, the application will be banned from working. A revocation distribution certificate will invalidate all applications that you have distributed.

The application will not start if the distribution certificate has expired. Distribution certificates are currently valid for one year. A few weeks before your certificate expires, request a new distribution certificate from iOS DevCenter, use it to create new distribution distribution profiles, and then recompile and distribute updated applications for your users. See “Providing Updated Applications” (page 10)

Am I missing something or is it possible that employees with potentially hundreds of iOS devices with multiple In House applications will not be able to open their applications while they wait for pending applications?

+54
ios iphone enterprise
Feb 09 '12 at 18:20
source share
5 answers

This is a problem that we have been facing for the last two years. Internal applications stop working after 1 year. This is a massive exercise for an organization like ours to restore hundreds of applications and redeploy to thousands of devices every year.

For us, this exercise is within a month, when we rebuild all our applications and inform all users about new ones through the distribution channel. However, every year some users have broken applications.

I registered an extension request with Apple ( Bug ID # 9848075 ) for this, and I'm still waiting for a response.

EDIT: The above error is closed. Here is the official answer:

Distribution certificates for the company now lasts 3 years.

+83
Feb 10 '12 at 10:25
source share

The "missing" link is now http://help.apple.com/iosdeployment-apps/?lang=en#app43ad74a3

A few weeks before the expiration of your certificate, request a new distribution certificate from the iOS Dev Center, use it to create a new distribution profiles distribution profile, and then recompile and distribute updated applications to your users.

The document also describes how to update applications. Your application has mechanisms that easily include an update mechanism. For example, Hockey, https://github.com/therealkerni/HockeyKit

Quoting the full article:

Certificate Verification

The first time the user opens the application, the distribution certificate is verified by contacting the Apples OCSP server. If the certificate has been revoked, the application is allowed to run. Failure to contact or receive a response from the OCSP server is not interpreted as invalidation. To check the status, the device must have access to ocsp.apple.com. See Network Configuration Requirements.

The OCSP response is cached on the device for a period of time specified by the OCSP server, currently 3 to 7 days. The certificate is not validated again until the device has been restarted and the cached response has expired. If the review is received at that time, the application does not work. Revoking a distribution certificate invalidates all applications that you use distributed.

The application does not start if the distribution certificate has expired. Distribution certificates are currently valid for one year. A few weeks before the expiration of your certificate, request a new distribution certificate from the iOS Dev Center, use it to create a new distribution profiles distribution profile, and then recompile and distribute updated applications to your users. See “Providing Updated Applications”.

+10
Feb 21 2018-12-21T00:
source share

Apple revised the documentation ...

An application does not start if its distribution certificate has expired. Distribution certificates are currently valid for one year, and you can have two certificates at the same time. The second certificate is designed to provide an overlapping period during which you can upgrade your applications before the expiration of the first certificate.

For example, six months before the expiration of your distribution certificate, create a new certificate and use it to update your applications for the next year. To do this, you request a new distribution certificate from the iOS Dev Center (do not revoke your first certificate), use it to create new distribution distribution profiles for each of your applications, and then you recompile and distribute updated applications for your users. See “Providing Updated Applications”.

+4
Jul 11 2018-12-12T00:
source share

Note. The hierarchical text below indicates the path to information that explains the solution. You must go over (expand the arrows next to it) the elements in the sidebar to see the solution (Mani, please do not delete this information - there, to guide the viewer to the solution.)

Current Apple documentation:

Distributing Enterprise Apps for iOS Devices In-house apps Certificate validation Providing updated apps

http://developer.apple.com/library/ios/#featuredarticles/FA_Wireless_Enterprise_App_Distribution/Introduction/Introduction.html

From providing updated applications:

At the same time, you can have two distribution certificates at the same time; each of them is independent of the other. The second certificate is designed to provide an overlapping period during which you can update your applications before the expiration of the first certificate. When requesting your second distribution certificate from the iOS OCT, make sure that you have not canceled your first certificate.

This is not how to do it, so all of our internal clients do not need to see that this is a rather terrible lack of functionality.

+4
Nov 14 '12 at 20:10
source share

Just a little sequel.

Original:

"As far as I know, when my non-enterprise distribution certificate expires, I must renew it. This expiration disables all applications signed with the expired certificate as soon as the devices verify the validity of the certificate on the Apples OCSP server."

This is not entirely true if I understand it correctly. This information is from Apple and, as explained here , suggests otherwise.

What happens if my certificate expires or has been revoked?

...

IOS Distribution Certificate (App Store)

  • If your membership in the iOS Developer Program is valid, your existing apps in the App Store will not be affected. However, you will no longer be able to submit new applications or updates to the App Store.
0
Sep 19 '13 at 21:52
source share


More articles:


All Articles