Skip to main content

Will Guidebook renew our Apple certificates when they are due to expire?

Elaine Robbie
Updated

Guidebook-managed branded apps rely on three Apple certificates: a push notification certificate, a distribution certificate, and (for apps using Guidebook ID with Apple Wallet) a Pass Type ID certificate. Each is issued by Apple and is valid for one year, so each needs to be renewed annually.

Who handles renewal depends on the certificate type and on how your app is managed. In most cases, Guidebook renews these on your behalf, but there are scenarios that require action from your team.

Apple push notification certificate

The Apple Push Notification service (APNs) certificate is what allows Guidebook to send push notifications from your app.

  • Guidebook-managed apps: Guidebook automatically attempts to generate a new push certificate 30 days before the existing one expires. No action is required from you, provided your Apple Developer account is in good standing. Ask your Account Holder to check to see that there are no pending agreements on your organization's developer account.
  • Customer-managed apps: You will need to generate a new push certificate from your Apple Developer account, export it as a .p12 file, and send it to support@guidebook.com along with the password if the file is encrypted. Guidebook will then upload it.

Push notifications continue uninterrupted during renewal. The new certificate is generated and put in place before the old one expires, so users on your live app are unaffected.

If your push certificate is deleted from your Apple Developer account, push notifications will silently stop working even though your app continues to function. If you need to delete or recreate a push certificate, please let Guidebook know first.

iOS distribution certificate

The distribution certificate is what allows Guidebook to sign and publish your app to the Apple App Store. A valid distribution certificate is needed every time Guidebook submits a new app or an update.

  • Guidebook-managed apps: Guidebook handles renewal for you. There is no automated renewal for distribution certificates, so this is a manual step taken by our team ahead of your next submission.
  • Customer-managed apps: If your team provided Guidebook with your own distribution certificate, you will need to generate a new .p12 file from your Apple Developer account and send it to support@guidebook.com, along with the password if the file is encrypted.

Renewing the distribution certificate does not affect the version of your app already installed on users' devices. The new certificate is used the next time Guidebook submits an update.

Apple allows a maximum of three active distribution certificates per Apple Developer account, shared across all apps under that account. If your account is at the limit, Guidebook will reach out to coordinate revoking an unused certificate before a new one can be created.

When Guidebook generates a new distribution certificate, we do not automatically revoke the old one. You may still be using it with another vendor, or have a copy stored elsewhere in your systems, so we leave it in place for your team to decide. Having more than one active distribution certificate is normal — for example, during a vendor transition — and does not cause any issues. If you would like Guidebook to revoke an old certificate on your behalf, let us know.

Sharing an existing distribution certificate

If your Apple Developer account has reached the three-certificate limit and the one Guidebook has created or has access to is about to expire, follow the steps below to export and send a certificate from your team's account to Guidebook.

A distribution certificate is only usable with its matching private key. The private key lives on the machine where the certificate was originally created, which may belong to a colleague rather than you.

  1. Log in to the Apple Developer site and go to Certificates, Identifiers, and Profiles.
  2. Click Certificates and look for a certificate of type iOS Distribution.
  3. Click the certificate, then click Download.
  4. Open the downloaded file. It will open in Keychain Access.
  5. In Keychain Access, look for an arrow to the left of the certificate that allows you to expand it. If you can expand it and a private key is shown beneath, skip ahead to step 7.
  6. If there is no expandable arrow, or no private key beneath the certificate, ask your team in case someone else holds the private key.
    • If no one on your team has the private key, no further action is needed. Let Guidebook know, and we will create a new certificate for you.
    • If a colleague has the private key, continue with step 7 on their computer.
  7. Right-click the certificate and select Export.
  8. Save the file to your computer. The format should be Personal Information Exchange (.p12).
  9. When prompted, create a password. You will need to share this with Guidebook.
  10. If prompted, enter your computer login password as an additional safeguard.
  11. Send Guidebook the .p12 file along with the password.

For security, send the .p12 file and the password through separate channels — for example, the file in an email attachment and the password via a secure file-sharing service. Avoid sending both in the same email.

Apple Pass Type ID certificate

If your app uses Guidebook ID with Apple Wallet, a separate Pass Type ID certificate is needed to issue Wallet passes. Like the others, it is valid for one year.

For most Guidebook-managed apps, Guidebook generates and renews the Pass certificate automatically each year, with one important condition.

Pass certificate generation requires Admin-level access on your Apple Developer account. If Guidebook only has App Manager access, we will not be able to generate or renew this certificate, and your team will need to provide one for our engineering team to upload.

Guidebook does not currently support pass certificate management for client managed apps or if Guidebook has App Manager access. If you are unsure what level of access Guidebook holds on your Apple Developer account, contact support@guidebook.com to discuss this.

If you receive an expiry email from Apple

Apple sends account holders advance warning when a certificate is approaching its expiry date. These emails typically have one of the following subject lines:

  • Action Needed Apple Push Services Certificate Expires in 30 Days
  • Action Needed: iOS Distribution Certificate
  • Action Needed Pass Type ID Certificate Expires in 30 Days

In most cases, certificate renewal is blocked by a pending agreement on your Apple Developer account. Your first step should be to ask your Account Holder to log in to App Store Connect and check for any unaccepted agreements — most renewal issues are resolved at this step.

If your Account Holder has confirmed there are no pending agreements, or if you are unsure who your Account Holder is, forward the email to support@guidebook.com and we will help investigate.

If you receive a notification from Guidebook about an expiring or blocked certificate, please action it as soon as possible to avoid an interruption to your live app.

Common reasons renewal can fail

Certain conditions on your Apple Developer account will prevent Guidebook from generating or renewing certificates. The most common are:

  • Outstanding Program License Agreements (PLAs): Apple periodically releases updated Program License Agreements (PLAs). Until your Account Holder accepts these in App Store Connect, no certificates can be generated. 
  • Expired Apple Developer membership: Apple Developer Program memberships must be renewed each year. If yours has lapsed, the account itself is inactive and no certificate work can proceed until the membership is restored.
  • Guidebook access has been revoked or reduced: Guidebook needs the correct role on your Apple Developer account, with access to Certificates, Identifiers, and Profiles. Pass certificate generation specifically requires Admin-level access. If your team has changed our access during a security review or account audit, we will reach out to request the access needed to complete the renewal.
  • Distribution certificate limit reached: Apple allows a maximum of three active distribution certificates per Apple Developer account. If the limit is reached, an unused certificate will need to be revoked, or one of your existing certificates shared with Guidebook. 

If you are unsure whether any of these blockers apply to your account, your Account Holder is best placed to check directly in App Store Connect. If they confirm everything is in order and you still have questions, contact support@guidebook.com.

Related to

Related articles