Apple-issued certificates expire on a fixed schedule (most last one year). When a certificate is within a few weeks of expiring, the safest play is to issue its replacement, regenerate every dependent profile against the new certificate, and only then revoke the old one. HexSign automates each of those steps individually.
The rotation playbook
- 1
Issue the replacement certificate
Create a new certificate of the same type from the same (or a fresh) CSR. Both certificates can co-exist for as long as you need.
- 2
Find every dependent profile
Open the old certificate's detail page. The dependents list shows every provisioning profile that uses it. The relationship graph also highlights them in one view.
- 3
Regenerate each profile against the new certificate
From each profile's detail page, click Regenerate and pick the new certificate. HexSign re-creates the .mobileprovision file via Apple's API and flags the old version as superseded.
- 4
Update CI and devices
Wherever the old profile was used (CI secrets, fastlane match repos, signing certificates installed locally on dev machines), pull the new versions. HexSign exposes a download button on each profile and certificate.
- 5
Revoke the old certificate
Once every dependent profile has been regenerated and you've confirmed the next CI build still signs cleanly, revoke the old certificate. The audit log keeps a record of when, by whom, and which profiles moved to the new identity.