Create Apple Developer Certificate on Linux

10. December 2023

To upload a app to the App Store, you need to create a Developer Certificate. The official Apple guide shows you how to do it easily with a Mac device in its official documentation. But it can be done also without a Mac, using a Linux System, following this guide of a Github user.

How to do it

  1. Generate a private key and certificate signing request: Firs create a private key with openssl
openssl genrsa -out distribution.key 2048

Then you can create a Certificate Sign Request, shortly CSR, using the previously generated private key.
Note: change "" and "Simon Dalvai" with your values.

openssl req -new -key distribution.key -out distribution.csr -subj '/, CN=Simon Dalvai, C=IT'
  1. Upload the CSR to apple at: Choose Production -> App Store and Ad Hoc

  2. Download the resulting distribution.cer, and convert it to .pem format:

openssl x509 -inform der -in distribution.cer -out distribution.pem
  1. Download Apple's Worldwide developer cert from portal and convert it to pem: - Worldwide Developer Relations - G4 (Expiring 12/10/2030 00:00:00 UTC
openssl x509 -in AppleWWDRCAG4.cer -inform DER -out AppleWWDRCAG4.pem -outform PEM
  1. Convert your cert plus Apple's cert to p12 format (choose a password for the .p12).
    Note: use -legacy if using opensssl v3.x . Found on StackOverflow
openssl pkcs12 -export -legacy -out distribution.p12 -inkey distribution.key -in distribution.pem -certfile AppleWWDRCAG4.pem 
  1. Finally, update any Provisioning Profile with the new cert, and download them from dev portal. Now you can also sign any Provisioning Profiles with the new certificate and use them to release apps.

Use in CI/CD like Github Actions

The Developer Certificate and Provisioning Profile can be imported in any CI/CD system, like Github Actions. But most CI/CD systems don't support binary files, so the conversion to base64 is needed.

  1. Create base64 of distribution.p12 Now you can prepare the Developer Certificate for the Github Action.
    Note: use -w 0 to prevent new lines in the resulting base64 string.
base64 distribution.p12 -w 0 > distribution.base64
  1. Add distribution.base64 content to your CI/CD systems secrets

  2. Recreate the file in its binary format

echo -n "$BUILD_CERTIFICATE_BASE64" | base64 --decode -o distribution.p12

The same steps work with any binary file, like the Provisioning Profile.

Every feedback is welcome

Feel free to write me an email at and comment on Mastodon or HackerNews.

Github button Codeberg button mastodon button RSS button Email button