Upload a private key for a certificate created outside HexSign

When HexSign generates the CSR for a new certificate, it already holds the private key and can produce a .p12 on demand. Certificates that were created outside HexSign — most commonly Developer ID certificates from the Apple Developer portal, or certificates a teammate issued in Keychain Access before adopting HexSign — arrive without a private key, so the .p12 download is disabled. Uploading the matching private key fixes that without changing how the certificate is issued.

What you need

• The certificate must already be synced into HexSign. If it isn't, open the Apple account and click Sync first.
• The private key file in one of: .p12 / .pfx (PKCS#12 bundle, with its export password), .pem, or .key (PEM-encoded RSA key).
• If the file is an encrypted .p12, the password that protects it.

Upload the key

1. 1

   Open the certificate

   From the Certificates list, certificates without a key show a "No key" chip — click it to jump straight to the right section. Or open the certificate from the relationship graph and scroll to the Signing key card.

2. 2

   Click "Upload private key"

   On the Signing key card (when no key is present) or via the Upload key button in the header, click to open the upload modal.

3. 3

   Select the file

   Choose the .p12, .pfx, .pem, or .key file. For PKCS#12 bundles a passphrase field appears; enter the password the file was exported with.

4. 4

   Upload

   HexSign parses the key, verifies it cryptographically matches the certificate's public key, encrypts it with AWS KMS, and stores it. The Signing key chip flips to "Stored" and Download .p12 becomes available.

What HexSign does with the key

• Verifies the uploaded private key actually pairs with this certificate's public key. A mismatched file is rejected before anything is stored.
• Encrypts the key at rest under a dedicated AWS KMS customer-managed key, bound to the row's identifier through the KMS encryption context. A copied row cannot be decrypted against another certificate.
• Records an audit log entry for the upload, including the file format and a public-key fingerprint, attributed to the user or service credential that performed the action.

Replace or remove an uploaded key

Open the certificate and use the Remove button on the Signing key card. Removal deletes the encrypted blob and immediately disables .p12 downloads for that certificate. To replace a key, remove the current one first and then upload the new file.

If the upload fails

"Private key does not match certificate"

The uploaded key's public half doesn't match the certificate's public key. You probably picked a key for a different certificate — check the filename, or compare the SHA-256 fingerprint shown after a successful upload to other certificates you manage.

"Could not read private key"

The file is in a format HexSign couldn't parse. Plain unencrypted PEM (PKCS#1 or PKCS#8) and PKCS#12 with a known password are supported. Encrypted PEM keys aren't — decrypt them first with `openssl pkcs8 -in key.pem -out key.pem` or export from Keychain Access as .p12.

"Too many failed uploads"

Your organization has hit the failed-upload rate limit (10 failures per hour). Wait a few minutes and try again. This limit catches passphrase guessing on .p12 files; legitimate uploads count against it only when they fail.

"Certificate data missing"

HexSign doesn't have the certificate's public key on file yet. Re-sync the Apple account from the Apple accounts page, then try the upload again.