How to manage the expiration of enterprise distribution certificates- How to manage Enterprise Distribution certificate expiration?

problem ：

Our customer has just joined the iOS Developer Enterprise Program. Our customers have just joined iOS Developer enterprise plan .They have signed the app (developed by us) with their Enterprise Distribution and installed it succesfully in some devices via MDM. They have used their enterprise to distribute applications （ We develop ） signed , And pass MDM It has been successfully installed on some devices .

As far as I know when my non-enterprise distribution certificate expires I have to renew it. as far as I am concerned , When my non corporate issuance certificate expires , I have to update it .This expiration disables all apps signed with the expired certificate as soon as the devices checks the certificate's validity against Apple's OCSP server. Once the equipment inspection certificate is correct Apple Of OCSP The effectiveness of the server , This expiration will disable all applications signed with expired certificates .

Alternatively, I can revoke my non-enterprise distribution before the expiration date and ask for a new one to Apple. perhaps , I can cancel my non corporate distribution before the due date , And to Apple Request new distribution .Applications signed with the revoked certificate, for example Ad Hoc beta apps, will be disabled according to the same mechanism. Applications signed with revoked certificates （ for example Ad Hoc beta Applications ） Will be disabled according to the same mechanism .

So with my developer program I can't have two valid distribution certificates at the same time. therefore , For my Developer Program , I cannot have two valid distribution certificates at the same time .Ok, as developers we can live with that. ok , As a developer , We can tolerate this .

Can our customer have two valid Enterprise Distribution certificates at the same time with the iOS Developer Enterprise Program? Our customers can use iOS Developer Enterprise Plan to have two valid enterprise distribution certificates at the same time ？

According to Apple: according to Apple That's what I'm saying ：

Certificate Validation Certificate validation

The first time an application is opened on a device, the distribution certificate is validated by contacting Apple's OCSP server. The first time you open an application on your device , By contacting Apple Of OCSP The server verifies the distribution certificate .Unless the certificate has been revoked, the app is allowed to run. Unless the certificate has been revoked , Otherwise, allow the application to run .Inability to contact or get a response from the OCSP server is not interpreted as a revocation. Unable to contact or from OCSP The response received by the server will not be interpreted as revocation .To verify the status, the device must be able to reach ocsp.apple.com. To verify the status , The device must be accessible ocsp.apple.com.See“Network Configuration Requirements”(page 9). see also “ Network configuration requirements ”（ The first 9 page ）.

The OCSP response is cached on the device for the period of time specified by the OCSP server—currently between 3 and 7 days.OCSP Response in OCSP It is cached on the device within the time period specified by the server - Currently in 3 To 7 Between days .The validity of the certificate will not be checked again until the device has restarted and the cached response has expired. Before the device restarts and the cached response has expired , The validity of the certificate will not be checked again .If a revocation is received at that time, the app will be prevented from running. If the cancellation is received at this time , Will prevent the application from running .Revoking a distribution certificate will invalidate all of the applications you have distributed. Revoking the distribution certificate will invalidate all applications you distribute .

An app will not run if the distribution certificate has expired. If the distribution certificate has expired , The application will not run .Currently, distribution certificates are valid for one year. at present , The validity of the distribution certificate is one year .A few weeks before your certificate expires, request a new distribution certificate from the iOS DevCenter, use it to create new distribution provisioning profiles, and then recompile and distribute the updated apps to your users. A few weeks before the certificate expires , Please from iOS DevCenter Request a new distribution certificate , Use it to create a new distribution profile , Then recompile and distribute the updated application to your users .See “Providing Updated Apps” (page 10) see also “ Provide updated applications ”（ The first 10 page ）

Am I missing something or is is possible that the employees, with potentially hundreds of iOS devices with several In House apps, can't open their applications while they wait for the resigned apps? Did I miss something , Or it may be because there are hundreds of with multiple internal applications iOS Device employees cannot open their applications while waiting for re signed applications ？

Solution ：