Developer Certificates and private keys

I’m trying to establish a development environment on the macOS Mini we have here as a fileserver (2014 Mini running Monterey), as my main development machine (2018 Mini running Catalina) is being a bit flaky. I kept the devloper certs that I installed on the main machine, but after entering them into KeyChain on the fileserver, they were all missing their private key. Re-creating new ones viw my Apple Developer Account, following the AppWrapper instructions, just gives me new certs identical to the old ones - still no private key.

In the end I exported them from Xcode and imported the exports into KeyChain. Suddenly I have private keys.

Now, the information regarding the private keys is incredibly sparse, so I have some basic questions here:

  1. Who is supposed to generate them? Me, or someone else. If it’s me, how do I do that?
  2. How do they get asscociated with a certificate and when does this happen?
  3. Can one private key be used with many certificates?

I’m sure there’ll be other questions.

1 Like

Apple generates the private key and public key when you give them a CSR

The public and private key together make a certificate.

No. A public and private key are a matched set.

That said, the right way to move a certificate from one machine to another is in the form of a .p12 certificate. They include both the public and private key. You should always specify a password so that only someone you know can install and use it to sign their software in your name.

Thanks for the clarifications.

What I get when I follow the procedure inside KeyChain of using the Certificate Assistant to generate a CSR, then upload that from within my Developer Account, is a button which invites me to download my new certificate. This arrives as a .cer file, which I double-click to have installed in KeyChain. But these appear to be missing the private key.

When I asked Xcode to export these, then the result was .p12 files, which on re-impoting to KeyChain gave me a complete certificate. Perhaps some of these steps are not necessary. As it is, though, it seems as if I need to keep Xcode around (at 39Gbytes, rather large), just to sanitise my certificates.

The first time you go through this for each certificate you will get a p12. Subsequent downloads will give you a cer file. The reason is that Apple does not keep the private key. That part belongs to you and you only. Hence the “private” key. There is some fine print on the screen to that effect when you do that process.

Xcode hides a lot of details from you, including recreating certificates and profiles on the fly so it’s possible to always give you what you ask for, but leads to later issues when they might not be on apples servers when they need to be, at least in my experience.

For me, I always use their website and get rid of the certs that Xcode creates, especially the wildcard certs because they cause issues for Xojo.

You need Xcode anyway. Xojo requires some of its command-line tools to function.

I guess one could install only the CLI tools without installing all the IDE.


$ xcode-select --install


$ xcode-select -p



Looking in KeyChain now I see the keys. Looks like the sequence should have beeen:

  1. Initial obtaining of a given cert from Apple, receive that as a .p12, install in KeyChain and use (this would have been three years ago).
  2. Obtain a new cert when the existing one expires. Receive that as a .cer, on my other macOS machine. Export the private key from one Mac to the other, then import both the .cer file and the private key into KeyChain.

Does KeyChain then marry up the new cert and the private key, giing me a complete cert? If so then the process starts to make sense.

In Keychain Access…

select “My Certificates” in the top Tab bar. (Note: this is important, as if you have “All Items” selected, then you’ll see the certificate and private key as separate items. In ‘Certificates’ view the two will be grouped together so you can export as one item.)

From this thread: