How to renew "Developer ID Application" certificate?

Question

sjones_forescout OP

Created 1d

Replies 1

Boosts 0

Participants 2

How do you renew a "Developer ID Application" certificate?

Should there be a "renew" button on the expiration date? Or can you renew it sooner?

Or are you required to create a new certificate?

Does this count against your limit of five Developer ID Application certificates?

I thought there was a way to renew it, but I don't see that option. I also couldn't find any Apple documentation about how to renew, only how to create and how there's a limit to how many you can create.

Answered by DTS Engineer in 876716022

There isn’t a specific affordance for renewing certificates. Rather, you simply create a new one. That’s the same for all our code-signing certificate types.

For Developer ID I generally do this using the Developer website rather than Xcode. That’s because Developer ID certificates are precious, as I explain in The Care and Feeding of Developer ID.

When you create a certificate using the website, you supply a certificate signing request (CSR). This includes the public key that’ll be embedded in the certificate, the one that matches your private key so that, when the website issues your certificate, the certificate and the private key form a code-signing identity.

That gives you two choices:

You can create a new CSR, containing the public key from a newly generated key pair.
You can reuse the CSR you used previously.

Note From a certain perspective, you could interpret the first option as ‘creating a new certificate’ and the second option as ‘renewing a certificate’, but that’s a bit of a stretch.

I prefer the second option because it means that my new certificate will match with my existing private key, which makes key management easier. However, the first option is equally valid.

If you’d like to use the first option but you didn’t keep the CSR you submitted the first time around, you can re-create that CSR using Certificate Assistant:

Launch Keychain Access.
Select your existing Developer ID private key.
Choose Keychain Access > Certificate Assistant > Request a Certificate from a Certificate Authority with “Developer ID …” [1].
In Certificate Assistant, select the “Saved to disk” option and click Continue.

IMPORTANT Well, blah, that used to work. Sadly, Certificate Assistant has suffered significant bit rot in recent years, and this process fails at the last step, at least on macOS 26.2. I tried it on macOS 15 and it works there, suggesting it’s a macOS 26 regression (r. 166623378).

Does this count against your limit of five Developer ID Application certificates?

I’ve not looked into the exact mechanics of this, but I don’t believe it does. My understanding is that the limit applies to unexpired Developer ID Certificates.

Remember that an expired Developer ID certificate can’t be used to sign code because of the secure timestamp requirement. TN3161 Inside Code Signing: Certificates has more details on that.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] Definitely a strong candidate for the longest menu title in macOS (-:

Boost

Answer 1

DTS Engineer OP

Apple

1d

Accepted Answer

Recommended

There isn’t a specific affordance for renewing certificates. Rather, you simply create a new one. That’s the same for all our code-signing certificate types.

For Developer ID I generally do this using the Developer website rather than Xcode. That’s because Developer ID certificates are precious, as I explain in The Care and Feeding of Developer ID.

When you create a certificate using the website, you supply a certificate signing request (CSR). This includes the public key that’ll be embedded in the certificate, the one that matches your private key so that, when the website issues your certificate, the certificate and the private key form a code-signing identity.

That gives you two choices:

You can create a new CSR, containing the public key from a newly generated key pair.
You can reuse the CSR you used previously.

Note From a certain perspective, you could interpret the first option as ‘creating a new certificate’ and the second option as ‘renewing a certificate’, but that’s a bit of a stretch.

I prefer the second option because it means that my new certificate will match with my existing private key, which makes key management easier. However, the first option is equally valid.

If you’d like to use the first option but you didn’t keep the CSR you submitted the first time around, you can re-create that CSR using Certificate Assistant:

Launch Keychain Access.
Select your existing Developer ID private key.
Choose Keychain Access > Certificate Assistant > Request a Certificate from a Certificate Authority with “Developer ID …” [1].
In Certificate Assistant, select the “Saved to disk” option and click Continue.

IMPORTANT Well, blah, that used to work. Sadly, Certificate Assistant has suffered significant bit rot in recent years, and this process fails at the last step, at least on macOS 26.2. I tried it on macOS 15 and it works there, suggesting it’s a macOS 26 regression (r. 166623378).

Does this count against your limit of five Developer ID Application certificates?

I’ve not looked into the exact mechanics of this, but I don’t believe it does. My understanding is that the limit applies to unexpired Developer ID Certificates.

Remember that an expired Developer ID certificate can’t be used to sign code because of the secure timestamp requirement. TN3161 Inside Code Signing: Certificates has more details on that.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] Definitely a strong candidate for the longest menu title in macOS (-:

1