iphone - How to manage Enterprise Distribution certificate expiration?

Question

Our customer has just joined the iOS Developer Enterprise Program. They have signed the app (developed by us) with their Enterprise Distribution and installed it succesfully in some devices via MDM.

As far as I know when my non-enterprise distribution certificate expires I have to renew it. This expiration disables all apps signed with the expired certificate as soon as the devices checks the certificate's validity against Apple’s OCSP server.

Alternatively, I can revoke my non-enterprise distribution before the expiration date and ask for a new one to Apple. Applications signed with the revoked certificate, for example Ad Hoc beta apps, will be disabled according to the same mechanism.

So with my developer program I can't have two valid distribution certificates at the same time. Ok, as developers we can live with that.

Can our customer have two valid Enterprise Distribution certificates at the same time with the iOS Developer Enterprise Program?

According to Apple:

Certificate Validation

The first time an application is opened on a device, the distribution certificate is validated by contacting Apple’s OCSP server. Unless the certificate has been revoked, the app is allowed to run. Inability to contact or get a response from the OCSP server is not interpreted as a revocation. To verify the status, the device must be able to reach ocsp.apple.com. See“Network Configuration Requirements”(page 9).

The OCSP response is cached on the device for the period of time specified by the OCSP server—currently between 3 and 7 days. The validity of the certificate will not be checked again until the device has restarted and the cached response has expired. If a revocation is received at that time, the app will be prevented from running. Revoking a distribution certificate will invalidate all of the applications you have distributed.

An app will not run if the distribution certificate has expired. Currently, distribution certificates are valid for one year. A few weeks before your certificate expires, request a new distribution certificate from the iOS DevCenter, use it to create new distribution provisioning profiles, and then recompile and distribute the updated apps to your users. See “Providing Updated Apps” (page 10)

Am I missing something or is is possible that the employees, with potentially hundreds of iOS devices with several In House apps, can't open their applications while they wait for the resigned apps?

Answer 1

This is an issue that we have been dealing since the last 2 years. The in-house applications do stop working after 1 year. It is a massive exercise for an organization like ours to rebuild hundreds of apps and redeploy it on thousands of devices every year.

For us it is a month long exercise where we rebuild all our apps and inform all users to get new ones through the distribution channel. Still every year some users are left with non-functional apps.

I have filed an enhancement request with Apple(Bug ID#9848075) for this and am still waiting for a reply.

EDIT: The above mentioned bug is closed now. Here's the official response:

Distribution certs for enterprise are now 3 years in duration.