Create certificates

Create app license delivery certificates

App License Delivery (ALD) signing and encryption certificates enable generating app license requests for eligible apps. Authorized alternative app marketplaces can create certificates to distribute their alternative app marketplace and authorized developer apps on their marketplace.

Learn more about alternative app marketplace requirements

  1. In Certificates, Identifiers & Profiles, click Certificates in the sidebar.

  2. On the top left, click the add button (+).

  3. Under Software, select the App License Delivery Certificate, then click Continue.

    1. If you are an authorized alternative app marketplace select from a list of Bundle IDs that have been assigned the entitlement from the pop-up menu, then click Continue.

  4. Create an RSA 3072 certificate signing request using the instructions listed below in Terminal.

  5. Click choose file and upload a unique CSR for both the encryption and signing certificates.

    1. Select the certificate request file (a file with a .certSigningRequest file extension), then click Choose.

  6. Click Continue.

  7. Download the encryption and signing certificate and the PASK authorization key and keep these files secure

CSR Generation for App License Delivery (ALD) certificates

When creating ALD encryption and signing certificates, you must specify the Key Pair information. Use the command line such as Terminal app to generate your keys and CSRs on your Mac. A unique CSR is required for each certificate. Example commands are listed below to create the required RSA 3072 cryptography assets, replace any example information with your own.

openssl genrsa -out ALDencryption.key 3072

openssl req -new -key ALDencryption.key -out csr3072ALDEncrypt.certSigningRequest -subj "/, CN=Example Name, C=IE"

openssl genrsa -out ALDsigning.key 3072

openssl req -new -key ALDsigning.key -out csr3072ALDSigning.certSigningRequest -subj "/, CN=Example Name, C=IE"

Note : If you get an error about the above commands to generate a CSR, confirm the expected " format is used and you have not already generated a key or CSR with the provided name.