470
votes

I have created certificate to enable Push Services in my app, but every time I try to add certificate in my Keychain, after adding certificate it shows me following error:

This certificate has an invalid issuer

enter image description here

13
Note to people voting to close: This is on-tropic because it is about a TOOL that PROGRAMMERS use.Ian Ringrose
Readers should note that this problem is not specific for Push Services, but is found equally for expired iOS and Mac Developer and Distribution certificates. (The solutions work equally well for these.)David
Congrats on most relevant question, this Q is linked to by industry-standard CI tool for iOS fastlane during the step for downloading code signing identities called Match.Sajjon

13 Answers

621
votes

I think I've figured this one out. I imported the new WWDR Certificate that expires in 2023, but I was still getting problems building and my developer certificates were still showing the invalid issuer error.

  • In keychain access, go to View -> Show Expired Certificates. Then in your login keychain highlight the expired WWDR Certificate and delete it.
  • I also had the same expired certificate in my System keychain, so I deleted it from there too (important).

After deleting the expired certificate from the login and System keychains, I was able to build for Distribution again.

254
votes
  1. Download https://developer.apple.com/certificationauthority/AppleWWDRCA.cer and double-click to install to Keychain.
  2. Select "View" -> "Show Expired Certificates" in Keychain app.
  3. Confirm "Certificates" category is selected.

    enter image description here

  4. Remove expired Apple Worldwide Developer Relations Certificate Authority certificates from "login" tab and "System" tab.


Here's Apple's answer.

Thanks for bringing this to the attention of the community and apologies for the issues you’ve been having. This issue stems from having a copy of the expired WWDR Intermediate certificate in both your System and Login keychains. To resolve the issue, you should first download and install the new WWDR intermediate certificate (by double-clicking on the file). Next, in the Keychain Access application, select the System keychain. Make sure to select “Show Expired Certificates” in the View menu and then delete the expired version of the Apple Worldwide Developer Relations Certificate Authority Intermediate certificate (expired on February 14, 2016). Your certificates should now appear as valid in Keychain Access and be available to Xcode for submissions to the App Store.

https://forums.developer.apple.com/thread/37208

159
votes

This is not actually a development issue. It happens due to expiration of the Apple Worldwide Developer Relations Intermediate Certificate issued by Apple Worldwide Developer Relations Certificate Authority. WWDRCA issues the certificate to sign your software for Apple devices, allowing our systems to confirm that your software is delivered to users as intended and has not been modified.

To resolve this issue, you have to follow the below steps:

  1. Open Keychain Access
  2. Go to View -> Show Expired Certificates

Enter image description here

  1. Go to System in Keychain Enter image description here

  2. Here you find that "Apple Worldwide Developer Relations Certificate Authority" is marked as expired. So delete it. Also check under Login Tab and delete expired WWDRCA.

  3. Download new WWDR Intermediate Certificate from here(The renewed Apple Worldwide Developer Relations Certification Intermediate Certificate will expire on February 7, 2023).

  4. Install it by double clicking on it.

If you still face any issue with your iOS apps, Mac apps, Safari extensions, Apple Wallet and Safari push notifications, then please follow this link of expiration.

The Apple Worldwide Developer Relations Certification Intermediate Certificate expires soon and we've issued a renewed certificate that must be included when signing all new Apple Wallet Passes, push packages for Safari Push Notifications, and Safari Extensions starting February 14, 2016.

While most developers and users will not be affected by the certificate change, we recommend that all developers download and install the renewed certificate on their development systems and servers as a best practice. All apps will remain available on the App Store for iOS, Mac, and Apple TV.

101
votes

Here is how we fixed this.

Step 1: Open Keychain access, delete "Apple world wide Developer relations certification authority" (which expires on 14th Feb 2016) from both "Login" and "System" sections. If you can't find it, use “Show Expired Certificates” in the View menu.

Step 2: Download this and add it to Keychain access -> Certificates (which expires on 8th Feb 2023).

Step 3: Everything should be back to normal and working now.

Reference: Apple Worldwide Developer Relations Intermediate Certificate Expiration

37
votes

In Apple's Developer's portal, add a new certificate, and when asked "What type of certificate do you need?" choose "WorldWide developer relations certificate". Generate the new certificate, download and install. The moment you do that, you will no longer see the message you have described.

Edit:
The certificate can be downloaded from the following page: https://www.apple.com/certificateauthority/ You can choose one of the following two certificates: "WWDR Certificate (Expiring 02/07/23)" or "WWDR Certificate (Expiring 02/14/16)"

32
votes

Follow the below steps:

  1. Download and install from here. Double click and install it.
  2. Select "View" -> "Show Expired Certificates" in Keychain app.
  3. Remove Apple Worldwide Developer Relations Certificate Authority certificates from "login" tab and "System" tab in Keychain app.

If you don't find your WWDR certificate in Login or System tab, then select category "All items" on the left side. Most probably you will get to see an expired WWDR certificate here, and you can remove it. An expired certificate is always shown with a red asterisk.

28
votes

If you are facing the "This certificate has an invalid issuer" error for all your certificates then do the following steps.

Steps:

  • Open Keychain and Click on Login -> All Items from the left panel.
  • Now, Click on View -> Show Expired Certificates from the top navigation menu.
  • Now search for "Apple Worldwide Developer Relations Certification Authority" and delete expired certificates.
  • After deleting expired certificates, visit the following URL and download the new certificate, https://developer.apple.com/certificationauthority/AppleWWDRCA.cer.
  • Double click on the newly downloaded certificate, and install it in your keychain.
  • Double check: List expired certificates by following step number 3.
  • Now you have a valid "Apple Worldwide Developer Relations Certification Authority" having expiry date 2023-02-07.

Reference:

23
votes

As described in the Apple Worldwide Developer Relations Intermediate Certificate Expiration:


The previous Apple Worldwide Developer Relations Certification Intermediate Certificate expired on February 14, 2016 and the renewed certificate must now be used when signing Apple Wallet Passes, push packages for Safari Push Notifications, Safari Extensions, and submissions to the App Store, Mac App Store, and App Store for Apple TV.

All developers should download and install the renewed certificate on their development systems and servers. All apps will remain available on the App Store for iOS, Mac, and Apple TV.


The new valid certificate will look like the following:

Apple Worldwide Developer Relations Certification Authority

It will display (this certificate is valid) with a green mark.

So, go to your Key Chain Access. Just delete the old certificate and replace it with the new one (renewed certificate) as Apple described in the document. Mainly the problem is only with the Apple push notification service and extensions as described in the Apple document.

You can also check the listing of certificates in https://www.apple.com/certificateauthority/

Certificate Revocation List:

Certificate Revocation List

Now this updated certificate will expire on 2023-02-08.


If you could not see the old certificate then go to the System Keychains and from edit menu and select the option Show Expired Certificates.

Show Expired Certificates

Now you can see the following certificate that you have to delete:

Delete This Certificate

20
votes

You need to search the World from the top right search bar and delete the expired certificate. Make sure you selected Login and All items.

Enter image description here

16
votes

Just try to set local date earlier than Feb 14. Works for me! Not a complete solution but temporary solve the problem.

6
votes
  • All my certificates are installed and expire dates are fine.
  • I deleted and reinstalled all my certificates, still no luck

In the end, I right-clicked on the certificate, and selected "Get Info". Under the Trust section, I selected "Always Trust" and this solved my problem.

0
votes

in 2021:

  1. Download AppleWWDRCAG3.cer (valid untill 2030) from https://developer.apple.com/support/expiration/
  2. Install it
0
votes

If you got here from the Fastlane then this snippet might fix your CI deployments. Execute it before the signing.

 apple_intermediate_certificate_path = "/tmp/AppleWWDRCAG3.cer"
`curl https://www.apple.com/certificateauthority/AppleWWDRCAG3.cer --output #{apple_intermediate_certificate_path}`

other_action.import_certificate(
  certificate_path: apple_intermediate_certificate_path,
  keychain_name: YOUR_KEYCHAIN_NAME,
  keychain_password: YOUR_KEYCHAIN_PASSWORD
)