Every Apple Developer certificate is issued from a certificate signing request, which is a public-private key pair plus your team identity signed with the private key. HexSign can generate these for you, or you can upload one your team already produced with Keychain Access or openssl.
Two ways to use the CSR vault
- Generated by HexSign — the private key is created in-process, encrypted with a dedicated AWS KMS key, and stored next to the CSR. The plaintext key never leaves the encryption boundary.
- Uploaded by you — when you already have a CSR file (Keychain Access' Save to Disk option, or `openssl req -new ...`), upload it and HexSign stores only the public CSR. You retain the private key.
Generate a CSR
- 1
Open CSRs and click "Generate"
From the CSRs tab, click Generate. HexSign asks for a friendly name (e.g. "iOS Distribution — primary") and an optional description.
- 2
Choose where the private key lives
Pick "Encrypted in the HexSign vault" if you want HexSign to be able to export PKCS#12 bundles for you later, or "Generate ephemeral and download now" if your team policy requires you to hold the private key.
- 3
Use it on the next certificate request
When you create a new certificate, the generated CSR appears in the picker. The same CSR can be reused across multiple certificates if your policy allows it.