How to Add Private Key to the Distribution Certificate

How can I add private key to the distribution certificate?

Yes, the error you are getting means that there is not a private key on your Mac associated with the distribution certificate you are trying to use to sign the app.

There are two possible solutions, depending on whether the computer who requested the distribution certificate is available or not.

If the computer who requested the distribution certificate is available (or there is a backup of the distribution assets somewhere)

From the computer where the distribution asset was generated, open Xcode.
Click on Window, Organizer.
Expand the Teams section.
Select your team, select the certificate of "iOS Distribution" type, click Export and follow the instructions.
Save the exported file and go to your computer.
Repeat steps 1-3.
Click Import and select the file you exported before.

If the computer where the distribution profile was created is not accessible anymore (and there is not a backup)

You have to revoke the certificate and create a new one.

You may need to ask your team admin or agent to give you some privileges in order to generate distribution certificates. Once you have enough privileges, follow these steps (accurate as of 15-May-2013):

Go to this webpage: https://developer.apple.com/devcenter/ios/index.action
Click on "Member Center" and enter your iOS developer credentials.
Click on "Certificates, Identifiers & Profiles".
Click on "Certificates" under the "iOS Apps" section.
Expand the Certificates section on the left, select Distribution, and click on your distribution certificate.
Click Revoke and follow the instructions.
Click on the plus sign to add a new certificate.
Select "App Store and Ad Hoc" option, and click Continue.
Follow the steps printed in the webpage. That involves opening the Keychain application on your Mac and generate a Certificate Signing Request from there. Click Continue.
Upload the .csr file and click Continue.
A certificate is generated for distribution. Download it and double click it to integrate it in your keychain.

Reopen Xcode and check your project configuration to see if you can now select an "iPhone Distribution" certificate (i.e. it's not grayed out).

Distribution certificate / private key not installed

You can only have one distribution certificate. It unites a public key, known to Apple, with a private key, which lives in the keychain of some computer. If this distribution certificate was created on another computer, then the private key is on the keychain of that computer. And this distribution certificate does not work without it.

So to use this distribution certificate on this computer, you must find that computer, open Keychain Access, locate and export the private key, mail it or otherwise get it to this computer, and import it into the keychain of this computer.

If you go into the Accounts pref pane in Xcode and double-click your Team, you'll see a dialog that gives you help with this. If you see your distribution certificate and it says Not In Keychain, you can control-click that certificate to get a menu item that lets you email whoever created the certificate and ask them to send it to you. That person can use this same import to choose Export Certificate and can email you exported certificate.

Either way, the private key or exported certificate will be passworded. You'll need to know the password in order to use it.

How to create a private key for iPhone Distribution Certificate?

Read the Maintain Signing Assets section of the Xcode Help site. It explains step-by-step what you will need to do, in the correct order.

Before you can code sign your app, you create your development certificate and later, a distribution certificate to upload your app to iTunes Connect. You can create all the types of certificates and signing identities you need using Xcode. Xcode creates, downloads, and installs your signing identities for you.
All team members can create their own development certificate. Only a team agent or admin can create a distribution certificate. Only a team agent can create a Developer ID certificate. If you have an organization membership, read Managing Your Team in Member Center for a description of team roles and tasks that team agents perform on behalf of team members.
Xcode creates your development certificate for you when you need it. For example, when you assign your project to a team or create the team provisioning profile, as described in Configuring Identity and Team Settings, Xcode creates your development certificate and adds it to the team provisioning profile. Because of this, you typically create distribution certificates using the Xcode Preferences window.
To create a signing identity
In the Xcode Preferences window, click Accounts.
Select the team you want to use, and click View Details.
In the dialog that appears, click the Create button in the row of the type of certificate you want to create.
If the Create button is disabled, you are not allowed to create that type of signing identity. For a description of each type of certificate, refer to Table 14-2.
After the signing identity is created, the Create button disappears.
To return to Accounts preferences, click Done.

Xcode -How to add a private key to Development Certificate if it's created using the Revoke button

When you press the Revoke button you get issued a new iPhone Distribution certificate and a new iPhone Developer certificate. You can view these certificates inside the developer portal at developer.apple > certificates. Those certificates will also be inside your keychain. You use the certificate expiration dates to see which certificates correspond to what.

The problem with pressing the Revoke button is you will get a iPhone Distribution certificate with a private key but as far as the iPhone Developer certificate it won't have a private key.

If you look into your keychain you will see this pic below. Notice the iPhone Distribution certificate has a gray arrow next to it but the iPhone Developer certificate doesn't:

Sample Image

That will cause the following 2 errors:

Sample Image

It causes a cycle where you press the Revoke button again and you wind up with the same 2 errors. I'm not sure why Apple did it this way but someone definitely made a mistake.

When you go to Keychain > login > My Certificates you will only see certificates that have a private key (the gray arrow indicates that). Since the iPhone Developer certificate from pressing the Revoke button doesn't have a key it won't be in there. According to this you need that key otherwise you'll get the errors:

If your iOS developer and distribution certificates do not appear in
"My Certificates", then they are not correctly configured for use on
your Mac. Please note that "Certificates" is a repository of all
certificates your Mac holds, whereas "My Certificates" is the subset
of certificates valid for your Mac to actually use - a certificate
appearing in "Certificates" only is not enough.

If the certificate is not in My Certificates then this is most likely
because you do not have the correct key for that certificate also on
that Mac. You will need to locate the private key made for that
certificate (i.e., from the original Mac which requested the
certificate or a backup server).

As long as they do appear in My Certificates, then they key is there.

Since the iPhone Developer certificate won't appear in My Certificates the fix is after you press the Revoke button, delete the iPhone Developer certificate that it generates from BOTH the developer portal at developer.apple > certificates AND keychain. It's VERY important you delete it from keychain! Use the expiration date to locate it. Please keep the iPhone Distribution Certificate because that should work fine and have a key (indicated by the gray arrow).

After it's deletes from both BOTH places you can manually generate a developer certificate yourself following these directions:

Generate a Code Signing Certificate manually

1- Open your Keychain Access.

2- In the upper left hand corner next to the Apple sign select Keychain Access > Certificate Assistant > Request a Certificate From a Certificate Authority...

3- Fill in User Email Address(just use yours) and the Common Name (just use your name) and select Saved to Disk. I selected Let me specify key pair information (maybe it's not necessary) but on the next screen just use the Key Size: 2048 bits and algorithm: RSA. Click on Continue and save the generated certSigningRequest file to your desktop.

4- Go to https://developer.apple.com and log in to your account.

5- Select Certificates, IDs & Profiles from the left sidebar.

6- Go to Certificates and click on the + button on the top right corner.

7- Select iOS App Development and click Continue.

8- On the next page you see the instructions for creating the certSigningRequest file. Click continue.

9- Upload the created certSigningRequest (from the 3rd step, the one saved to your desktop) to the form and click continue. It will generate your code signing certificate for you.

10- Download the certificate and double click to install it. Once installed it will be added to your Keychain Access app. Assuming it saves to your download folder you can just go in there and double click it.

Once you do those steps both errors should go away.

If you continue to have errors look at the certificates in both the portal at developer.apple > certificates and keychain > My Certificates. If anything is in the portal but isn't in My Certificates then you need to find it keychain access (look in keychain > Certificates), delete it, and delete it from the portal.

It took me a while to figure this out but the expiration date is the key to locating messed up certificates.

missing private key in the distribution certificate on keychain

Sample Image Ahh this is a common issue, The solution is simple:

Who ever created the developer credentials originally needs to go to the keychain on their computer and right click on the key(s) for private and public and export the key to a file.
Then you just download that file on your computer and open it, and it will be added to your keychain.

You need to have both the private key (.pem file) and the certificate for your provisioning profiles.

About distribution certificate (with private key) in keychain

For question 1

Yes, distribution certificate is used for uploading app to apple store. And development for running on device or sending build.

For question 2

Yes, you can simply revoke his certificate. And create new one. That way your previous developer certificate are not required. Moreover, he wont be able to use them anymore and you can create new one and keep your certificate on apple developer account clean.

Hope it clears your doubt.

How do You Install a Private Key on an iPhone Distribution Certificate?

This may sound silly, but all what I had to do was restart the computer and it worked.