In iOS projects, certificate-related issues often manifest as follows:

  • Packaging works normally on Computer A
  • Signing fails after switching to Computer B
  • Xcode prompts that the private key is missing or the certificate is invalid

Many people initially think the certificate is incorrect, but the problem usually lies in the composition structure of the certificate.

Without understanding this, the same issue will recur when switching devices, collaborating with colleagues, or integrating with CI.

Why Certificates Don’t Work

iOS certificates are not a single file; they consist of two parts:

  • Public key certificate (the .cer file downloaded from Apple’s backend)
  • Private key (generated locally)

These two parts must exist as a pair.

If only the .cer file is imported to a new computer, the following occurs:

  • The certificate is visible
  • But signing is not possible
  • Xcode prompts that the private key is missing

This is one reason why certificates cannot be used across computers.

The Correct Way for Cross-Computer Usage: P12 Files

To make certificates usable across different computers, export a .p12 file.

A .p12 file contains:

  • The certificate
  • The private key

Export method (macOS):

  1. Open Keychain Access
  2. Find the certificate
  3. Right-click and export
  4. Select .p12 format
  5. Set an export password

Then import this file on another computer.

Common Failure Scenarios

In actual projects, this situation is often encountered:

  • Developer A creates a certificate
  • Sends the .cer file to Developer B
  • B fails to package after importing

The reason is that .cer does not contain the private key.

Therefore, .p12 must be used.

Another Way to Avoid Keychain Dependency

If someone in the team uses Windows or Linux, they cannot use Keychain Access for export.

In this case, complete certificate files can be generated directly in a tool.

For example, using AppUploader (Happy Upload):

  1. Log in to the Apple Developer account
  2. Open “Certificate Management”
  3. Click to add a certificate
  4. Select the type (development or distribution)
  5. Set the certificate name
  6. Set the P12 password

After generation, directly obtain the .p12 file.

This file can be:

  • Imported on any computer
  • Used in CI
  • Avoid private key loss issues
    Create Certificate

A Method for Cross-Computer Certificate Synchronization

If there are many team members, certificates can be managed uniformly.

An executable process is as follows:

Step 1: Uniformly Generate Certificates

Have one person create certificates (or use a tool to generate them).

Step 2: Export P12 Files

Ensure they include the private key.
P12 File

Step 3: Store in a Shared Location

For example:

  • Private Git repository (encrypted)
  • Internal file server
  • CI Secret management

Step 4: Import in Each Environment

On each machine, execute:

  • macOS: Import to Keychain
  • CI: Load certificates via scripts

Provisioning Profiles Also Need Synchronization

After certificates are usable across computers, provisioning profiles also need to be synchronized.

Because packaging depends on:

  • Certificates
  • Provisioning profiles

Provisioning profiles bind:

  • Bundle ID
  • Certificates

If certificates are updated but provisioning profiles are not, signing will fail.

Provisioning profiles can be created and downloaded via AppUploader:

  1. Go to “Provisioning Profile Management”
  2. Create a new provisioning profile
  3. Bind certificates and Bundle ID
  4. Download .mobileprovision

Distribute it together with .p12.
Provisioning Profile

Usage in CI Environments

In CI (e.g., Jenkins / GitLab CI), P12 files can be used directly.

Example process:

  1. Upload .p12 to CI Secret
  2. Import certificates in build scripts
  3. Configure provisioning profiles
  4. Execute packaging

For example, in Fastlane:

import_certificate(
  certificate_path: "cert.p12",
  certificate_password: "password"
)

How to Determine if a Certificate is Complete

After importing on a new computer, a quick verification can be done:

  • Select the certificate in Xcode
  • Signing works normally
  • No prompt for missing private key

If it prompts that the private key is missing, it means a non-P12 file was imported.

The issue of certificates not working across computers is essentially due to the private key not being correctly transferred. When certificates are uniformly managed in .p12 format, such problems can be resolved.

Reference link: https://www.appuploader.net/blog/230