Apple Wallet certificates
Configure your Apple Developer account to distribute digital wallet passes through The Wallet Crew platform. This guide covers certificate creation, push notification setup, and credential management
To issue Apple Wallet passes that display your company branding and receive real-time updates, you need to establish certificates and push notification credentials through the Apple Developer Program.
Want the “why” before the “how”? Start with Apple & Google wallet.
What you'll accomplish:
Create a Pass Type ID that identifies your organization as the pass issuer
Generate and configure certificates that sign your wallet passes
Set up Apple Push Notification service (APNs) for real-time pass updates
Connect your Apple Developer account credentials to The Wallet Crew platform
Prerequisites:
Active Apple Developer Program membership ($99/year for organizations)
Administrator access to your Apple Developer account
Authority to create certificates and authentication keys
Access to The Wallet Crew admin console
Apple Developer Program enrollment requirements:
Before beginning this configuration, ensure your organization has enrolled in the Apple Developer Program as an Organization (not as an individual). This enrollment requires:
D-U-N-S Number from Dun & Bradstreet for business verification
Work email address linked to your company's domain (avoid personal Gmail/Yahoo accounts)
Publicly accessible website reflecting your company's legal identity
Legal binding authority as an owner, executive, or authorized employee to sign Apple's agreements
If you haven't enrolled yet, visit the Apple Developer Program enrollment page to begin the process. Enrollment as an organization (rather than individual) ensures your company name appears on wallet passes and enables multi-user account management.
Apple Developer Program enrollment page
Choosing your setup path:
Option 1 - Account Delegation: Grant The Wallet Crew team administrator access to configure everything on your behalf (fastest, minimal technical expertise required)
Option 2 - Self-Configuration: Manage the complete setup within your organization (maintains strict access control, requires technical knowledge of Apple Developer Portal)
Both options produce identical functionality. Option 1 reduces your team's workload but requires granting temporary administrator access to The Wallet Crew. Option 2 maintains complete internal control but requires familiarity with Apple's developer tools and certificate management.
Kickoff
Option 1 — account delegation
This approach allows The Wallet Crew team to handle all technical configuration while you retain ownership of your Apple Developer account. You'll grant temporary administrator access, and we'll configure certificates, keys, and identifiers according to Apple's best practices.
Grant Administrator Access
Navigate to App Store Connect Users and sign in with your Apple Developer account credentials.
Click the Add (+) button to invite a new user. Enter [email protected] as the email address and assign the Admin role. This permission level allows The Wallet Crew team to create Pass Type IDs, generate certificates, configure push notification keys, and complete all necessary setup steps.
The Wallet Crew team will receive an invitation notification and will proceed with Pass Type ID creation, certificate generation, and APNs configuration. We'll notify you when setup is complete and provide documentation of all created resources. You can revoke this administrator access after confirming that wallet pass issuance and updates are working correctly.
What happens next: After you grant access, we create your Pass Type ID (formatted as pass.com.thewalletcrew.{tenantId}), generate the signing certificate, configure push notifications, and upload everything to your tenant. This typically completes within 1–3 business days. We’ll confirm by email and share a short summary of what was created.
Option 2 — configuration on your own
You manage the complete setup within your Apple Developer account and The Wallet Crew admin console. This option requires familiarity with Apple's certificate infrastructure but maintains strict internal access control.
Understanding the Components
Before proceeding, it's helpful to understand what you're creating:
Your Pass Type ID is the issuer identifier (for example pass.com.thewalletcrew.{tenantId}). The CSR is a request file generated in The Wallet Crew that Apple uses to create your certificate. The signing certificate is what cryptographically signs each pass. The APNs auth key is what lets us trigger updates for passes already installed on devices.
Follow these steps to configure your Apple membership program for The Wallet Crew.
Login and open Identifiers
Login to the Apple developer program console:
Apple Developer program console
Go to Certificates, IDs & Profiles > Identifiers
Create a Pass Type ID
Click the + button and select Pass Type IDs, then click Continue.
Fill the form. Set the description to
membership pass. Set the identifier to the value shown in The Wallet Crew underpass type identifier.
The value should follow the pattern pass.com.thewalletcrew.{tenantId} where {tenantId} is your brand identifier.
Treat the Pass Type ID identifier as permanent. Once you’ve issued passes, changing it typically breaks updates and can force a full re-issuance.
Copy this exact value and paste it into the Apple Developer Portal identifier field.
If you need to modify this identifier for any reason, click the lock icon next to the field in The Wallet Crew console and coordinate the change with your point of contact at The Wallet Crew to ensure proper synchronization. Never do it without the consent of your point of contact at The Wallet Crew.
Click Continue to review your settings, then click Register to create the Pass Type ID.
Navigate to Pass Type ID Details
After registering your Pass Type ID, you'll be returned to the identifiers list. Locate and click on the Pass Type ID you just created to open its detail page.
In the Pass Type ID details page, click the Create Certificate button. This will open Apple's certificate creation workflow
Leave this browser tab open and switch to The Wallet Crew admin console tab. If you don't have it open, navigate to The Wallet Crew Apple Configuration.
Generate Certificate Signing Request (CSR)
In The Wallet Crew console, locate the Certificate Signing Request (CSR) section and click Generate CSR. The system will create a cryptographic signing request file. Once generation completes, click Download CSR to save the file to your computer. The filename will be similar to pass.cloud.thewalletcrew.{yourbrand}.csr.
Upload CSR to Apple and download certificate
Return to the Apple Developer Portal browser tab where the certificate creation form is waiting. Leave the Certificate name field empty so Apple auto-generates it, then upload the .csr file you downloaded from The Wallet Crew.
Click Continue to process the CSR. Apple will generate your signing certificate using the cryptographic information from The Wallet Crew's CSR.
On the confirmation page, click Download to save the certificate file (named pass.cer) to your computer. This certificate file is the cryptographic credential that will sign all wallet passes issued by your organization.
Upload certificate to The Wallet Crew
Navigate back to The Wallet Crew Apple Configuration page. Locate the Certificate Upload section.
The Wallet Crew Apple Configuration Page
Click Choose File and select the pass.cer certificate file you downloaded from Apple. The Wallet Crew system will validate that the certificate matches your CSR and is properly configured.
Review the certificate information displayed (expiration date, issuer details) and click Apply Certificate to complete the upload. The certificate is now active and will be used to sign all wallet passes you create.
Create APNs Auth Key in Apple
Apple Push Notification service (APNs) enables real-time updates to wallet passes after they've been installed on users' devices. When you update a pass balance, change event details, or modify any pass content, APNs notifies the user's device to download the latest version.
Navigate to the Apple Developer Keys page and click the + button to create a new key.
Complete the key registration form: Name the key (for example “Wallet Push Notifications”), enable Apple Push Notifications service (APNs), then click Configure next to APNs to pick the environment.
In the APNs configuration dialog, select Production environment (not Sandbox). Production environment is required for wallet passes to receive updates in real-world usage. Click Save to confirm this setting.
Click Continue to review your key configuration, then click Register to create the key. Apple will display your Key ID, this is a critical piece of information you'll need in the next step, so copy it to a safe location.
Click Download to save your authentication key file (named AuthKey_XXXXXXXXXX.p8).
Important: Apple only allows you to download this file once. If you lose it, you'll need to revoke this key and create a new one. Store the downloaded .p8 file securely—treat it like a password.
Upload APNs key to The Wallet Crew
Navigate to The Wallet Crew APNs Configuration page.
The Wallet Crew APNs Configuration page
Complete the APNs configuration form: Paste the Key ID you copied from Apple (10 characters) and upload the AuthKey_XXXXXXXXXX.p8 file you downloaded.
Click Save or Apply to upload the APNs credentials. The Wallet Crew platform will validate the key and configure push notifications for your tenant.
Configuration complete: Your Apple Wallet integration is now fully configured. You can create wallet passes, and they will be signed with your certificate and capable of receiving real-time updates via APNs.
Certificate Renewal
Apple Wallet certificates expire annually and must be renewed to continue issuing passes. Apple will send reminder emails before expiration, but you should proactively renew certificates at least two weeks before the expiration date to avoid service interruption.
Timeline: Certificate renewal takes approximately 15 minutes. Existing passes in users' wallets continue working during renewal—there's no downtime.
Initiate Certificate Renewal in Apple
Navigate to the Apple Developer Account and sign in. Select Certificates, IDs & Profiles from the left navigation, then click Certificates.
Click the + button to create a new certificate. Select Pass Type ID Certificate from the list of certificate types, then click Continue.
Generate CSR in The Wallet Crew
Open The Wallet Crew admin console and click Generate CSR. Even if you have a previous CSR file, you must generate a new one for renewal.
The Wallet Crew Administration Console - Apple configuration
Click Generate CSR to create a new certificate signing request. Once generation completes, click Download CSR to save the file. The filename will be similar to
pass.cloud.thewalletcrew.{yourbrand}.csr.
Upload CSR to Apple and download renewed certificate
Return to the Apple Developer Portal. In the certificate creation workflow, upload the new CSR file you just downloaded from The Wallet Crew.
Click Continue to generate the renewed certificate, then click Download to save the new pass.cer file.
Upload renewed certificate to The Wallet Crew
Navigate to The Wallet Crew Apple Configuration page. Upload the renewed pass.cer certificate file.
The Wallet Crew Apple Configuration
Review the new expiration date to confirm it's been extended for another year, then click Apply Certificate.
Renewal complete: Your certificate is renewed for another year. All existing passes continue working seamlessly, and new passes will be signed with the renewed certificate.
FAQ
What is a Pass Type ID and why do I need one?
A Pass Type ID is your issuer identifier in Apple’s ecosystem (for example pass.com.thewalletcrew.{tenantId}). It tells Apple and iOS devices which organization is allowed to issue and sign passes, which is why it’s required for any Apple Wallet deployment. Most brands use one Pass Type ID across all their pass types.
What's the difference between a CSR, certificate, and APNs key?
The CSR is a request file generated in The Wallet Crew that you upload to Apple. Apple uses it to generate your signing certificate, which is the credential used to sign every pass. The APNs key is separate. It’s what lets The Wallet Crew authenticate to Apple Push Notification service to trigger updates for passes already installed on devices.
Why do I need a certificate (.cer) and an APNs key (.p8)?
Apple Wallet splits “trust” into two pieces. The .cer certificate signs your passes, so devices can verify the pass is authentic and hasn’t been tampered with. The .p8 APNs key authenticates the push channel, so Apple accepts update notifications for your passes and devices know they should refresh.
How long does Apple Developer Program enrollment take?
For organizations, Apple typically approves enrollment in 2–5 business days. Sometimes they ask for extra verification around your D‑U‑N‑S number or company identity. Once approved, the wallet certificate setup usually takes around 1–2 hours.
Can I use an individual Apple Developer account instead of organization?
You technically can, but it’s rarely a good idea. Individual accounts show a personal name on passes and don’t support the same team workflows. Most businesses should enroll as an organization (same $99/year price).
What happens if my certificate expires?
If the certificate expires, issuing and updating passes can fail. Passes already installed may still display, but they won’t reliably receive updates. Renew at least two weeks before expiration; Apple usually sends reminders about 30 days before.
Do I need to renew the APNs authentication key?
No. APNs keys do not expire, so you don’t renew them. You normally renew only the Pass Type ID certificate each year. If you revoke the APNs key in Apple’s portal, you must create a new one and upload it to The Wallet Crew.
Can I revoke delegated access after initial setup?
Yes. Once everything is configured, you can remove the delegated admin user from App Store Connect and the integration will keep working. Delegation is only needed for initial setup, and it’s optional for renewals.
What if I can't find my Pass Type Identifier in The Wallet Crew console?
You’ll find it on the Apple Configuration page under Pass Type Identifier. If it’s empty or errors, contact your point of contact at The Wallet Crew. Your tenant may need a small setup step before Apple configuration is available.
Why must I use "production" APNs environment, not "sandbox"?
Apple Wallet uses the production APNs environment, even for testing. Sandbox is meant for iOS app development, not passes. If you configure sandbox by mistake, push updates won’t work reliably.
How do I know if my configuration is working correctly?
Create a test pass in The Wallet Crew and add it to an iPhone. If it installs and shows your organization name, signing works. Then change a simple field (like a balance or text) and confirm the installed pass refreshes within a few seconds.
What should I do with the .p8 APNs key file after uploading?
Store the .p8 file like a password, ideally in a password manager or secure document storage. You may need it later for audits, reconfiguration, or if Apple asks you to verify your APNs setup. Don’t commit it to version control and don’t send it over unencrypted email.
Can I use the same Apple Developer account for multiple brands?
Yes, but each brand should use its own Pass Type ID. One Apple Developer account can host multiple Pass Type IDs, each with its own certificate. In The Wallet Crew, each tenant maps to its own Apple configuration.
We already have existing passes. How do we migrate to The Wallet Crew?
This is a migration of live passes, not a normal “renewal”.
For Apple, the key constraint is issuer identity. In practice, you keep the same Pass Type ID, export the existing pass technical data (like serial number + auth token), then repoint updates to The Wallet Crew.
Follow the dedicated guide: Move passes to The Wallet Crew.
If you are leaving The Wallet Crew, use: Export passes from The Wallet Crew to another provider.
Last updated