Cannot renew an Ad Hoc profile before it expires because no certificate matches the certificate ID

user278859 picture user278859 · Apr 17, 2013 · Viewed 7.6k times · Source

My Ad Hoc profile is about to expire in 14 days. There is a a "renew" button for my ad hoc profile in the organizer but when I click it I get...

There are no current certificates on this team matching the provided certificate IDs.

The profile in the provisioning portal shows active, expiring on the 30th. I also see a distribution certificate with the same expiration date. I must assume that this certificate is the one that was used to sign the profile. Is there any way to fix this without revoking and creating a new ad hoc profile and certificate?

If I have to start over, what is the best way to proceed without messing up my testors.

There are a lot of posts and answers on this subject but I can't find any that address this particular problem with the certificate not matching the certificat ID of the profile.

Answer

Bryan Musial picture Bryan Musial · Apr 17, 2013

Ad-Hoc Provisioning Profiles are composed of three main elements:

  • Exactly 1 AppID
  • The Public Key of your Distribution Certificate
  • One or more Registered Test Device IDs

When you first generated this Provisioning Profile (about a year ago if your current one is expiring soon!), you instructed it to use your then current Distribution Certificate when constructing that provisioning profile -- the resulting Ad-Hoc Profile's expiration date is set to match the expiration of the Distribution Certificate as you can't launch an app signed with an expired certificate (Aside: This doesn't necessarily apply in Jailbroken scenarios...)

Your main question of 'Can it be fixed without revoking?' is a solid 'No' -- Even if you could make adjustments, the soon-expiring Distribution Certificate would cause the newly reissued Ad-Hoc Profile to have an expiry matching that of the Distribution Certificate. You'll be back in this same situation in 14 days when both your certificate and Provisioning Profile have both expired. Unfortunately at that time you'll also have a new problem, any existing builds you have out to your testers will no longer launch as the signing certificate and provisioning profile will have lapsed.

Instead, these last two weeks are your opportunity to be proactive and get your users migrated to a new build with a new Certificate and Provisioning Profile. With my own testers, I treat the last few weeks of my current Distribution Certificate as a migration window to get builds switched over and get my testers to download and install the latest test build so that they can keep going with their testing. The great news is that you caught your certificates expiring with more than enough time to get things straightened out and get your testers migrated -- some aren't so lucky and have to play catchup after things have expired and have testers shouting about your app crashing/no longer launching...definitely an undesirable outcome for any developer, especially if you are a one-person shop and having to coordinate both development and beta tester communications yourself.

So what do I have to do?

At a high level, doing the migration is nearly identical to getting this Ad-Hoc profile setup the first time -- It just requires cleaning up the old data from your Keychain and Provisioning Profiles as well as sending out some tester emails encouraging your team to upgrade once you make a new build available to them. At a high level this process looks like this:

  1. Revoke your existing Distribution Certificate and reissue a new Distribution Certificate.
  2. Delete the existing Distribution Certificate from your Keychain and install the new one.
  3. Update and install the now 'Invalid' Ad-Hoc profile to use your newly created Distribution Certificate
  4. Update Code Sign Build Settings if necessary.
  5. Construct and issue your Ad-Hoc build to your testers.

Wait -- Won't revoking my existing certificate disrupt my testers?

Nope, not in the least bit! Your existing Ad-Hoc builds will continue to work perfectly well until after the expiration date because they have all the information they need to verify code signatures right inside the Ad-Hoc build you've already sent them. Once the certificate expires, however then things will fail to launch and you'll have screaming testers on your hands.

I'm going to assume that you are using an Individual account, so certificates will appear in the format "iPhone Developer: FirstName LastName" and "iPhone Distribution: FirstName LastName". If you are using a Company Account, then the format will be slightly different. I'm also going to assume that you only have your one account; if you are enrolled in multiple developer accounts, take extra care when searching for and deleting your existing certificates and profiles from Keychain as there may be multiple similar entries.

To begin, quit out of Xcode and then head over to developer.apple.com/ios login to the "Certificates, Identifiers & Profiles" area. This is formerly known as the "Provisioning Center".

Revoking and Reissuing the Distribution Certificate

  1. Navigate to the Distribution Certificates Area.
  2. Locate your soon-to-expire Distribution Certificate and revoke it. You'll likely encounter a message informing you that revoking this certificate will invalidate any linked provisioning profiles -- that is entirely expected and OK. In fact, that is exactly what we want it to do so that you can get things updated!
  3. Click the 'Add' button in the upper right corner and walk through the steps to make a new "App Store and Ad Hoc" Distribution Certificate. Download the file to your machine, but don't install it just yet -- we should clean up the old certificate from your Development Machine first.

Deleting the Revoked Certificate and Installing the New Certificate

  1. Open Keychain Access and search for 'iPhone Distribution'.
  2. Delete any blue certificates that match 'iPhone Distribution'. The certificate icon may also show a red 'X' indicating that it is either expired or revoked. These may be cleaned up as well as they are no longer of use.
  3. Double-click the newly downloaded certificate and install it.

Edit the Ad-Hoc Provisioning Profiles

  1. Navigate to the Distribution Provisioning Profiles section and locate your Ad-Hoc Profile.
  2. Edit that profile updating the test device list if necessary.
  3. Click Generate and download the newly created Provisioning Profile. If the Generate button is disabled check that there are no special characters in the Provisioning Profile's name and that you've selected at least one test device.
  4. Drag and drop the newly downloaded provisioning profile on to Xcode. Any old versions of the profile may be deleted from Organizer.

At this point you should be back in business and ready to update Code Sign settings if necessary (that is, if you set them to match a specific profile instead of using the Automatic Profile Selector option you'll need to update that setting to point to the now current version of your Provisioning Profile).

Again, you are fortunate in that you are taking steps to get this issue fixed while you testers are still able to use your app and not having to rush or hurry to get this done. Take your time and make sure to cleanup the older certificates and expiring provisioning profiles to make it easier for Xcode to figure out that you want it to use the newest profile.