Skip to main content
Jamf Nation, hosted by Jamf, is the largest Apple IT management community in the world. Dialog with your fellow IT professionals, gain insight about Apple device deployments, share best practices and bounce ideas off each other. Join the conversation.

Obtaining an Installer Certificate from Apple

Overview

Signing flat PKGs and QuickAdd packages allows users to install them on computers that have Apple's Gatekeeper feature set to only allow applications downloaded from the Mac App Store and identified developers. It also ensures that the packages appear as verified to users. Signing these packages requires an installer certificate (.p12) from Apple.

Installer certificates can be obtained from Apple using Xcode or the Apple Developer Member Center. This article explains how to obtain an installer certificate from Apple using Xcode.

Requirements

To obtain an installer certificate from Apple using Xcode, you need:

  • An Apple Developer membership with team Agent privileges in the Apple Developer Program. To enroll in the Apple Developer Program, visit the following website: https://developer.apple.com/programs/
  • A computer with macOS v10.11 or later
  • Xcode 7.3 or later

Procedure

  1. On a computer with macOS v10.11 or later, open Xcode.
  2. Navigate to Xcode > Preferences.
  3. Click the Accounts tab.
  4. If you have not already done so, log in with the Apple ID that is registered in the Apple Developer Program.
  5. Select the appropriate team with the "Agent" role assigned, and click Manage Certificates.

  6. In the window that opens, Control-click (right-click) Developer ID Installer, and select Export.

  7. Enter a name for the .p12 file and the Developer Profile password, and click Save.

Note: The exported installer certificate is valid for five years.

Additional Information

To renew the installer certificate, repeat the above process.

To install a signed QuickAdd package, the System keychain in Keychain Access must contain Apple’s Developer ID Certification Authority intermediate certificate. For instructions on how to obtain this certificate and import it to the System keychain on client computers, see Importing Apple's Developer ID Certification Authority Intermediate Certificate to the System Keychain.

For more information on signing flat PKGs in Composer or signing QuickAdd packages, see the Casper Suite Administrator's Guide.

For more information on distributing applications outside the Mac App Store, see the following documentation from Apple:

https://developer.apple.com/library/mac/documentation/IDEs/Conceptual/AppDistributionGuide/DistributingApplicationsOutside/DistributingApplicationsOutside.html

Like Comment
Order by:
SOLVED Posted: by clifhirtle

This article is confusing. Is the intent to export an iOS Development certificate or a Mac Installer Distribution certificate? Logic would suggest the latter, the image above suggests the former, and the text does not make any distinction (?).

Like
SOLVED Posted: by martin

You must login with the Team Agent account in order to create a Developer ID certificate. The admin role does not give you that kind of permission.

Like
SOLVED Posted: by russellwhitford

Great

Like
SOLVED Posted: by swdev

Hi,

As a Team Agent, I always failed in requesting to generate a "Developer ID" certificate: whether I use browser to open developer apple website or using XCode (attached): either it's from Lion 10.7.5 or Yosemite 10.10.

Any suggestion? I suspect there is something wrong in Apple backend. I have already filed a support actually, and just in initial step communication: still no success

Thanks,
Eko

)

Like
SOLVED Posted: by jlbrown

This document might need to be updated for El Capitan & Xcode 7.1?

When I click on Developer ID Installer, I don't get a gear mentor a '+':

If I right-click on 'Developer ID Installer', I see 'Export…' but it is greyed out.

I thought I would download the cert from https://developer.apple.com/account/mac/certificate/certificateList.action

But the Download button just gives me a .cer file. I imported this into Keychain, but from there it won't let me export it as a .p12 file.

Any ideas?

Thanks,
James.

Like
SOLVED Posted: by harry.weeden

I'm very interested to know the answer to jlbrown's question. We're having the same issue over here with not being able to export the Developer ID Installer cert as a .p12 file from keychain.

Like
SOLVED Posted: by tradeshiftcorpit

Are these posts monitored by JAMF? It still seems out of date as of jlbrown's question from 2 months ago as I can't get it to work either but for a different reason. Still, this post refers to an outdated version of Xcode.

Like
SOLVED Posted: by coreythomas

We currently have an enterprise developer account and I have enrolled using our existing setup. However, when I try to generate a "developer ID Installer distribution" it is missing. Also, the + button is not there like the screenshots. Also, I noticed that in the account section, it says that I am an agent for iOS but says "join" for Mac. I'm guessing that we aren't setup for the mac developer program.

Anyone have a clue how to add that?

Like
SOLVED Posted: by cwaldrip

I do get the option to Export from a right-click. Create a password for the cert, and save the file. So there's something else going on with your setup @jlbrown.

I get a .p12 file, and if I upload that to the JSS, enter the cert password, and it seems to work (no error). When I save though the field goes back to empty, meaning the field says "Encrypted P12 File". When I download the QuickAdd package it still says it can’t be opened because it is from an unidentified developer.

Like
SOLVED Posted: by liam.wears

I am also having the same error as @cwaldrip

Let me know if you have found a solution!

Thanks

Like
SOLVED Posted: by liam.wears

I was advised by JAMF support to restart TomCat. this resolved the issue.
Happy days.

Like
SOLVED Posted: by gachowski

I can't export either? Anybody have a solution? I am testing a clean new OS...

C

Like
SOLVED Posted: by gskibum

I'm experiencing the same issuse as jlbrown. My export button is greyed out.

Any updates out there?

Like
SOLVED Posted: by Messick

I too have the greyed-out export button. Has anyone made headway on this?

Many thanks

Like
SOLVED Posted: by jhbush1973

The options to export are greyed out for me as well. I was able to get around this by logging in as the agent for our corporate account and downloading the certificate. Importing the certificate into keychain access also imported the private key for signing packages. I was then able to export my certificate and private key as a .p12 from keychain access to sign the JAMF QuickAdd package during user initiated enrollment.

Like
SOLVED Posted: by pier

I just registered to this forum to post the solution that worked for me since there aren't many resources addressing this problem, and as usual neither Xcode nor Apple are of any help.

I found the solution here: https://developer.mozilla.org/en-US/docs/Mozilla/Signing_Mozilla_apps_for_Mac_OS_X

If the "Developer ID" radio button is greyed out you probably have a group account. These types of accounts only allow for the "Agent" role to create Developer IDs.
Like
SOLVED Posted: by jeremysmythe

I am looking into this for my school. I do not have a developer account. Do I need an organizational account or can I use just an individual developer account?

Like
SOLVED Posted: by cwaldrip

You can use an individual account, but you'll be the only one who can sign installers. I tried putting my personal certificate on multiple machines and it didn't work out so well.

Like
SOLVED Posted: by jeremysmythe

Thanks @cwaldrip . I got org account and everything set up.

Like
SOLVED Posted: by jason.bracy

Why would we sign the installer with the Developer ID Installer instead of Mac Installer Distribution? With the Developer ID Installer you need to have the "Apple Developer ID Certification Authority intermediate certificate" installed, so a user trying to install a Quick Add still gets an error... I thought that the whole point of signing the Quick Add is to allow installation with GateKeeper set to allow from Identified Developers.

Like
SOLVED Posted: by arekdreyer

The images in this article are currently not loading. Thanks!

Like
SOLVED Posted: by rblaas

Any updates on this?

I cannot export the certificate as well.. (Greyed out... )

Like
SOLVED Posted: by jrepasky

I wrote this for documentation purposes so others can easily go about getting the signing cert for Recon. (I believe the option in xcode is greyed out when you are on a group developer account and not the primary holder of said account) This is another way to go about it.

First request a certificate from a certificate authority using Keychain Access
Use the Certificate Assistant in Keychain Access to request a certificate from a certificate authority (CA). Taken from instructions here
1. Choose Keychain Access > Certificate Assistant > Request a Certificate From a Certificate Authority.
2. Enter your developer account email address for the user field as well as the CA email address. Choose “Saved to disk” option. (To change the way key pairs are generated, click “Let me specify the key pair information.”)
3. Click Continue. The request for a certificate is saved to your local machine.

Then creating the Developer ID Certificate
Developer ID certificates are used to distribute your app outside of the Mac App Store. You can create up to five Developer ID certificates of each type using your developer account. Important: Only team agents can create additional Developer ID certificates.
To create a Developer ID certificate
1. Sign in to developer.apple.com/account, and click Certificates, IDs & Profiles.
2. In the sidebar, choose OS X from the pop-up menu, and under Certificates, select All.
3. Click the Add button (+) in the upper-right corner.
4. Select Developer ID under Production, and click Continue.
5. Select the certificate type— Developer ID Installer—and click Continue.
6. See the above instructions to create a certificate signing request (CSR) using Keychain Access, and click Continue. (Note: The machine the CSR is created on will be the only one with the private key for signing packages.)
7. Click Choose File.
8. Select a CSR file (with a .certSigningRequest extension), and click Choose.
9. Click Continue.
10. Click Download.
The certificate file appears in your Downloads folder.
To install the Developer ID certificate in your keychain, double-click the downloaded certificate file (with a .cer extension). The Developer ID certificate appears in the My Certificates category in Keychain Access.

When you create the Quickadd.pkg in Recon it should show up in "Sign with:" after the box is checked

Like
SOLVED Posted: by ddribeiro

For those where the option to export the certificate as .p12 is grayed out, make sure "My Certificates" is selected under the category section in Keychain Access.

Like
SOLVED Posted: by MacGeek

Under Developing ID Certificate I get to step 4 and there is not option to select Developer ID under production so I tried In-House and Ad Hoc to see where this would end up. I have a Certificate Signing Request on my desktop and went through the process but in Step 7 all I see available is a .certAuthorityConfig file in my Library which I can't see. I did end up with a Mac Developer certificate in Keychain but when I select it in Composer and make my package I'm still getting flagged by Gatekeeper. Can you offer any advice? Thanks!

Like