We are a UK-based company who are in the process of renewing an iOS Distribution certificate using the Member Center. We are using 'Keychain Access' to generate a Certificate Signing Request, and submitting that CSR to the Member Center. We intend to use the resulting certificate to provision apps using 'Enterprise' distribution.
The CSR generated by Keychain Access contains the 'GB' country code in the 'Subject' field of the CSR. However, the certificate we receive back from Member Center appears to have the 'Country' field set to 'US'. The same behaviour is observed with both 'Development' and 'Production' certificates. The machine used to generate the CSR is correctly configured in System Preferences to use the 'English' language and 'United Kingdom' region. We have replicated this issue on multiple machines.
Since our old certificate (the one we're trying to renew) has the 'Country' code set to 'GB', we are concerned that the change of country code might affect our ability to provision apps correctly using the certificate, so have the following questions:
- Have any developers outside the US observed similar behaviour when creating certificates?
- Has this behaviour changed in the last 2-3 years (i.e. since we created the original 'GB' certificate)?
- Have any developers outside the US experienced any problems provisioning apps with certificates that have a US country code, using Enterprise Deployment?
Steps to replicate the observed issue:
(using Keychain Access version 9.0 (55161) on OS X Yosemite 10.10.4 and Apple Member Center as at 2015-07-28)
Generate a Certificate Signing Request using Keychain Access:
- Launch Keychain Access.
- Select the 'login' keychain, and make sure no existing keys are selected.
- Choose the Keychain Access -> Certificate Assistant -> Request a Certificate from a Certificate Authority... menu option.
- Specify the User Email Address, Common Name, and select Request is -> Saved to disk.
- Click Continue, and save the Certificate Signing Request to a suitable location.
Confirm that the 'Subject' field in the CSR has a country code of 'GB'
$ openssl req -in CertificateSigningRequest.certSigningRequest -text -noout
Certificate Request:
Data:
Version: 0 (0x0)
Subject: emailAddress=acme.developer@acme.com, CN=Acme, C=GB
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
...Create a new certificate using the CSR
- Go to the Apple Developer Portal's 'Member Center'.
- Select Certificates, Identifiers & Profiles.
- Under iOS Apps, click Certificates.
- Click the + icon to add a new Certificate.
- Under the Development section select iOS App Development.
- Upload the CSR previously created.
- Download the newly-created certificate.
Check the details of the new certificate
$ certtool d ios_development.cer
Serial Number : xxxxx
Issuer Name :
Country : US
Org : Apple Inc.
OrgUnit : Apple Worldwide Developer Relations
Common Name : Apple Worldwide Developer Relations Certification Authority
Subject Name :
Other name : XXXXXXXXX
Common Name : iPhone Developer: XXXXXXXXX (XXXXXXXXXX)
OrgUnit : XXXXXXXXXX
Org : XXXXXXXXXX
Country : USNote the 'Country' field under 'Subject Name' now contains 'US'.