iOS

    iOS Distribution Certificate Expired: Renew Guide

    An expired iOS distribution certificate being replaced with a new one in the Apple developer portal, with the private key shown in Keychain Access.

    When an iOS distribution certificate expires, you do not renew or extend it, because Apple certificates cannot be extended; instead you create a new certificate and regenerate the provisioning profiles that used the old one. The good news for the common worry is that your apps already on the App Store are not affected by an expired distribution certificate, so they keep running and stay available; you simply cannot upload new builds until you have a valid certificate again. In-house enterprise and ad hoc builds are different: apps signed with the expired certificate stop running, so you must ship a new version signed with a new certificate. You also need the certificate's private key from your Keychain to sign at all, so if that key is missing you create a new certificate.

    Short answer

    An expired distribution certificate is replaced, not renewed, and it does not take your live apps down. Per Apple's certificates support, an expired certificate cannot be extended, so you create a new one, and apps already on the App Store are unaffected while your membership is valid, though you cannot upload new builds signed with the expired certificate. Enterprise and ad hoc apps signed with it do stop working. To sign, your Keychain must contain the certificate, its private key, and the WWDR intermediate certificate, per Apple's code signing support. The simplest path is to let Xcode automatic signing, Fastlane match, or Expo EAS create the new certificate and profiles for you.

    Will my current apps break?

    For App Store apps, no, which is the reassurance most people are looking for. An expired distribution certificate does not affect apps already on the App Store, so your published apps keep working and stay downloadable as long as your Apple Developer Program membership is valid. What you lose is only the ability to upload new apps or updates signed with the expired certificate, so the impact is on shipping new builds, not on the apps users already have.

    Enterprise and ad hoc distribution are the exception, and there the answer is yes. For in-house apps distributed with an enterprise certificate, and for ad hoc builds, apps signed with an expired certificate stop running for users, because those distribution types validate the signing certificate on the device. So if you distribute outside the App Store, an expired certificate does break installed apps, and you have to distribute a new version signed with a new certificate to restore them. That difference by distribution type is the key thing to know first.

    You create a new certificate, not renew it

    Because Apple certificates cannot be extended, renewing an expired distribution certificate really means creating a new one, which is where the revoke question comes in. You generate a new certificate, and as part of tidying up you can revoke the old expired one in the developer portal. Revoking is a separate action from expiry: a certificate that has already expired is invalid anyway, but revoking is also how you invalidate a still-valid certificate early, for example if it was compromised, or how you free a slot, since Apple limits how many distribution certificates an account can have.

    So think of it as replace, with revoke as a housekeeping step rather than the fix itself. If you are at the certificate limit and need to create a new one, revoking an old certificate makes room. Revoking a distribution certificate used for the App Store does not break your live apps for the same reason expiry does not, but revoking a certificate used for enterprise or ad hoc distribution invalidates the apps signed with it immediately. So revoke deliberately, understanding which distribution type the certificate serves.

    Certificates, profiles, and keys

    It helps to keep three things straight, because an expiry touches all of them. The certificate is your signing identity, proving builds come from you. A provisioning profile ties together an app ID, one or more certificates, and, for non-App-Store distribution, a set of devices and capabilities. The private key is the secret half of the certificate, held in your Keychain, that actually signs the build. Signing needs the certificate and its matching private key together.

    When the certificate changes, the profiles that referenced it are no longer valid for signing, so regenerating the certificate is only half the job; you also regenerate the provisioning profiles so they point at the new certificate. This is why a certificate expiry often surfaces first as a profile or signing error in your build. So after creating the new certificate, refresh your profiles, which automatic tooling does for you, and your build has a consistent certificate and profile pair again.

    The private key and Keychain

    To use any certificate you need its private key, and that key lives in your login Keychain from when you generated the certificate signing request. Signing fails without it, so your Keychain must contain the certificate, its private key, and the WWDR intermediate certificate that chains your certificate to Apple. If any of those is missing, code signing cannot complete, which is a common cause of signing errors that look like a certificate problem.

    This is also why the private key is the thing to protect. If you lose the private key, the certificate is unusable and you simply create a new certificate rather than trying to recover the old one. To move signing to another Mac or to a continuous integration server, export the certificate together with its private key as a .p12 file from the Keychain Access app, and keep that .p12 backed up securely. Managing the key well is what prevents an expiry from becoming a scramble.

    How to renew via Xcode

    The easiest route is Xcode's automatically managed signing, which handles the replacement for you. With automatic signing enabled for your target, Xcode detects the expired certificate, creates a new distribution certificate under your account, and regenerates the matching provisioning profiles, so you often just build again and Xcode sorts out the identity. This is the least error-prone path for most developers.

    If you manage signing manually, you do the same steps by hand in the developer portal: revoke the old certificate if needed, create a new certificate signing request from Keychain Access, use it to create a new Apple Distribution certificate, download and install it, and then regenerate your provisioning profiles to use the new certificate. Either way the outcome is a fresh certificate and refreshed profiles. So unless you have a reason to manage signing manually, letting Xcode manage it turns a certificate expiry into a rebuild.

    Fastlane and Expo EAS

    If you build in a pipeline, your tooling manages certificates so you do not do it by hand each time. Fastlane match stores your certificates and profiles centrally, typically in an encrypted git repository, and regenerates them across machines; when a certificate expires, match can recreate the certificate and profiles, and its nuke command revokes and recreates them cleanly when you need a fresh start. This keeps every machine and CI runner using the same, current signing identity.

    Expo EAS handles credentials for you as well, managing your distribution certificate and provisioning profiles for EAS builds and renewing them as part of the build when they expire, so a managed Expo project often needs no manual certificate work. So in both Fastlane and EAS setups, the certificate expiry is handled by the tool rather than by editing the portal, and your job is to run the build or the credential command and let it produce a valid certificate and profile.

    Cause and fix at a glance

    Matching the symptom to the fix keeps this quick. The table below maps common cases.

    SymptomCauseFix
    Cannot upload a new buildDistribution certificate expiredCreate a new certificate
    Signing fails, key not foundPrivate key missing from KeychainImport the .p12 or make a new certificate
    Enterprise or ad hoc app stoppedCertificate expired for that buildShip a new build with a new certificate
    At the certificate limitToo many distribution certificatesRevoke an old one, then create a new one
    Profile invalid after new certProfile references the old certificateRegenerate the provisioning profiles

    Read the last row as a reminder: after a new certificate, refresh the profiles, or signing still fails.

    Renewal checklist

    Working through these steps restores signing safely. The checklist below covers them.

    StepActionDone?
    Confirm the impactApp Store apps are fine; enterprise and ad hoc break[ ]
    Create a new certificateReplace the expired one, revoking if needed[ ]
    Check the private keyEnsure the Keychain has the key and WWDR cert[ ]
    Regenerate profilesPoint provisioning profiles at the new certificate[ ]
    Rebuild and re-signProduce a fresh build with the new identity[ ]
    Verify and uploadConfirm the signature, then submit[ ]

    The step teams skip most is regenerating the provisioning profiles, since a new certificate leaves the old profiles invalid and signing keeps failing until they are refreshed.

    Where a scan fits

    Renewing a certificate is a signing and pipeline task, but the build you re-sign afterward is worth a security check, which is independent of the signing itself.

    A scanner like PTKD.com analyzes your app build for security issues such as exposed keys, over-broad permissions, and risky third-party code, mapped to OWASP MASVS. To be clear about the boundary: PTKD does not create or manage your certificates, which are your Apple signing setup. Since a certificate expiry means rebuilding and re-signing, it is a natural moment to scan the resulting binary, so you ship a build that is both correctly signed and checked for security.

    What to take away

    • You cannot renew or extend an expired iOS distribution certificate; you create a new one and regenerate the profiles that used it.
    • Apps already on the App Store are not affected by an expired distribution certificate, so they keep working; you only lose the ability to upload new builds.
    • Enterprise and ad hoc apps signed with the expired certificate do stop working, so you must ship a new version signed with a new certificate.
    • Signing needs the certificate's private key from your Keychain plus the WWDR intermediate, so back up the private key as a .p12 and create a new certificate if the key is lost.
    • Let Xcode automatic signing, Fastlane match, or Expo EAS create the new certificate and profiles, and use a tool like PTKD.com to scan the rebuilt binary.
    • #ios
    • #distribution certificate
    • #code signing
    • #keychain
    • #provisioning profile

    Frequently asked questions

    How do I renew an expired iOS distribution certificate?
    You do not renew it, because Apple certificates cannot be extended; you create a new distribution certificate and regenerate the provisioning profiles that used the old one. The easiest way is Xcode automatically managed signing, which detects the expired certificate, creates a new one, and refreshes the profiles for you. To do it manually, revoke the old certificate if needed, create a certificate signing request from Keychain Access, use it to create a new Apple Distribution certificate in the developer portal, download it, and regenerate your provisioning profiles to point at the new certificate.
    Will my App Store apps break if my distribution certificate expires?
    No. Apps already on the App Store are not affected by an expired distribution certificate as long as your Apple Developer Program membership is valid, so they keep running and stay downloadable. What you lose is only the ability to upload new apps or updates signed with the expired certificate. The exception is enterprise in-house and ad hoc builds: apps signed with an expired certificate stop running for users, because those distribution types validate the certificate on the device, so you must ship a new version signed with a new certificate.
    Should I revoke or renew my certificate?
    There is no renew option, so you create a new certificate; revoking is a separate action. An already-expired certificate is invalid anyway and does not strictly need revoking, but you can revoke the old one to tidy up, or to free a slot, since Apple limits how many distribution certificates an account can have, so revoking an old one makes room for a new one. Be careful: revoking a certificate used for enterprise or ad hoc distribution immediately invalidates the apps signed with it, while revoking one used for the App Store does not affect your live apps.
    What role does the Keychain and private key play?
    Signing needs the certificate and its matching private key together, and that private key lives in your login Keychain from when you generated the certificate signing request. Your Keychain must contain the certificate, its private key, and the WWDR intermediate certificate that chains your certificate to Apple, or code signing fails, which often looks like a certificate problem. If you lose the private key, the certificate is unusable and you create a new one. To move signing to another Mac or a CI server, export the certificate with its private key as a .p12 file from Keychain Access and back it up.
    Do I need to regenerate provisioning profiles after a new certificate?
    Yes. A provisioning profile references specific certificates, so when you create a new certificate the old profiles no longer sign successfully, and regenerating the certificate is only half the job. You also regenerate the provisioning profiles so they point at the new certificate, giving your build a consistent certificate and profile pair. Automatic tooling does this for you: Xcode managed signing, Fastlane match, and Expo EAS all refresh the profiles alongside the certificate, which is why a certificate expiry that surfaces as a profile error is resolved by refreshing both.
    How do Fastlane and Expo EAS handle certificate expiry?
    They manage certificates for you so you do not edit the portal by hand. Fastlane match stores your certificates and profiles centrally, usually in an encrypted git repository, and regenerates them across machines; when a certificate expires, match can recreate the certificate and profiles, and its nuke command revokes and recreates them cleanly for a fresh start. Expo EAS manages your distribution certificate and provisioning profiles for EAS builds and renews them as part of the build when they expire, so a managed Expo project often needs no manual certificate work at all.

    Keep reading

    Scan your app in minutes

    Upload an APK, AAB, or IPA. PTKD returns an OWASP-aligned report with copy-paste fixes.

    Try PTKD free