# Apple Wallet certificates
To issue Apple Wallet passes that display your company branding and receive real-time updates, you need to establish certificates and push notification credentials through the Apple Developer Program.
Want the “why” before the “how”? Start with [Apple & Google wallet](https://docs.thewalletcrew.io/configure/wallet/apple-and-google-wallet).
#### **What you'll accomplish:**
* Create a Pass Type ID that identifies your organization as the pass issuer
* Generate and configure certificates that sign your wallet passes
* Set up Apple Push Notification service (APNs) for real-time pass updates
* Connect your Apple Developer account credentials to The Wallet Crew platform
#### **Prerequisites:**
* Active Apple Developer Program membership ($99/year for organizations)
* Administrator access to your Apple Developer account
* Authority to create certificates and authentication keys
* Access to The Wallet Crew admin console
#### **Apple Developer Program enrollment requirements:**
Before beginning this configuration, ensure your organization has enrolled in the Apple Developer Program as an **Organization** (not as an individual). This enrollment requires:
* **D-U-N-S Number** from Dun & Bradstreet for business verification
* **Work email address** linked to your company's domain (avoid personal Gmail/Yahoo accounts)
* **Publicly accessible website** reflecting your company's legal identity
* **Legal binding authority** as an owner, executive, or authorized employee to sign Apple's agreements
If you haven't enrolled yet, visit the Apple Developer Program enrollment page to begin the process. Enrollment as an organization (rather than individual) ensures your company name appears on wallet passes and enables multi-user account management.
#### **Choosing your setup path:**
* **Option 1 - Account Delegation:** Grant The Wallet Crew team administrator access to configure everything on your behalf (fastest, minimal technical expertise required)
* **Option 2 - Self-Configuration:** Manage the complete setup within your organization (maintains strict access control, requires technical knowledge of Apple Developer Portal)
Both options produce identical functionality. Option 1 reduces your team's workload but requires granting temporary administrator access to The Wallet Crew. Option 2 maintains complete internal control but requires familiarity with Apple's developer tools and certificate management.
## Kickoff
### Option 1 — account delegation
This approach allows The Wallet Crew team to handle all technical configuration while you retain ownership of your Apple Developer account. You'll grant temporary administrator access, and we'll configure certificates, keys, and identifiers according to Apple's best practices.
#### Grant Administrator Access
Navigate to App Store Connect Users and sign in with your Apple Developer account credentials.
Click the **Add (+)** button to invite a new user. Enter `contact@neostore.cloud` as the email address and assign the **Admin** role. This permission level allows The Wallet Crew team to create Pass Type IDs, generate certificates, configure push notification keys, and complete all necessary setup steps.
App Store Connect users page showing how to invite a new admin user
The Wallet Crew team will receive an invitation notification and will proceed with Pass Type ID creation, certificate generation, and APNs configuration. We'll notify you when setup is complete and provide documentation of all created resources. You can revoke this administrator access after confirming that wallet pass issuance and updates are working correctly.
**What happens next:** After you grant access, we create your Pass Type ID (formatted as `pass.com.thewalletcrew.{tenantId}`), generate the signing certificate, configure push notifications, and upload everything to your tenant. This typically completes within 1–3 business days. We’ll confirm by email and share a short summary of what was created.
### Option 2 — configuration on your own
You manage the complete setup within your Apple Developer account and The Wallet Crew admin console. This option requires familiarity with Apple's certificate infrastructure but maintains strict internal access control.
#### Understanding the Components
Before proceeding, it's helpful to understand what you're creating:
Your **Pass Type ID** is the issuer identifier (for example `pass.com.thewalletcrew.{tenantId}`). The **CSR** is a request file generated in The Wallet Crew that Apple uses to create your certificate. The **signing certificate** is what cryptographically signs each pass. The **APNs auth key** is what lets us trigger updates for passes already installed on devices.
Follow these steps to configure your Apple membership program for The Wallet Crew.
{% stepper %}
{% step %}
**Login and open Identifiers**
1. Login to the Apple developer program console:
2. Go to Certificates, IDs & Profiles > Identifiers
{% endstep %}
{% step %}
**Create a Pass Type ID**
1. Click the + button and select Pass Type IDs, then click Continue.
2. Fill the form. Set the description to `membership pass`. Set the identifier to the value shown in The Wallet Crew under `pass type identifier`.
The value should follow the pattern `pass.com.thewalletcrew.{tenantId}` where `{tenantId}` is your brand identifier.
{% hint style="danger" %}
Treat the Pass Type ID identifier as permanent. Once you’ve issued passes, changing it typically breaks updates and can force a full re-issuance.
{% endhint %}
Copy this exact value and paste it into the Apple Developer Portal identifier field.
The Wallet Crew console showing the Pass Type Identifier value to copy into Apple Developer Portal
{% hint style="warning" %}
If you need to modify this identifier for any reason, click the lock icon next to the field in The Wallet Crew console and coordinate the change with your point of contact at The Wallet Crew to ensure proper synchronization. Never do it without the consent of your point of contact at The Wallet Crew.
{% endhint %}
Click **Continue** to review your settings, then click **Register** to create the Pass Type ID.
{% endstep %}
{% step %}
**Navigate to Pass Type ID Details**
After registering your Pass Type ID, you'll be returned to the identifiers list. Locate and click on the Pass Type ID you just created to open its detail page.
Apple Developer Portal identifiers list showing the created Pass Type ID
In the Pass Type ID details page, click the **Create Certificate** button. This will open Apple's certificate creation workflow
Leave this browser tab open and switch to The Wallet Crew admin console tab. If you don't have it open, navigate to The Wallet Crew Apple Configuration.
{% endstep %}
{% step %}
**Generate Certificate Signing Request (CSR)**
In The Wallet Crew console, locate the **Certificate Signing Request (CSR)** section and click **Generate CSR**. The system will create a cryptographic signing request file. Once generation completes, click **Download CSR** to save the file to your computer. The filename will be similar to `pass.cloud.thewalletcrew.{yourbrand}.csr`.
The Wallet Crew Apple configuration showing the Generate CSR action
The Wallet Crew Apple configuration showing the Download CSR action
{% endstep %}
{% step %}
**Upload CSR to Apple and download certificate**
Return to the Apple Developer Portal browser tab where the certificate creation form is waiting. Leave the **Certificate name** field empty so Apple auto-generates it, then upload the `.csr` file you downloaded from The Wallet Crew.
Click **Continue** to process the CSR. Apple will generate your signing certificate using the cryptographic information from The Wallet Crew's CSR.
Apple Developer Portal certificate creation form showing CSR upload
Apple Developer Portal certificate download screen for the generated pass certificate
On the confirmation page, click **Download** to save the certificate file (named `pass.cer`) to your computer. This certificate file is the cryptographic credential that will sign all wallet passes issued by your organization.
{% endstep %}
{% step %}
**Upload certificate to The Wallet Crew**
Navigate back to The Wallet Crew Apple Configuration page. Locate the **Certificate Upload** section.
Click **Choose File** and select the `pass.cer` certificate file you downloaded from Apple. The Wallet Crew system will validate that the certificate matches your CSR and is properly configured.
Review the certificate information displayed (expiration date, issuer details) and click **Apply Certificate** to complete the upload. The certificate is now active and will be used to sign all wallet passes you create.
The Wallet Crew Apple configuration showing certificate upload and Apply Certificate
{% endstep %}
{% step %}
**Create APNs Auth Key in Apple**
Apple Push Notification service (APNs) enables real-time updates to wallet passes after they've been installed on users' devices. When you update a pass balance, change event details, or modify any pass content, APNs notifies the user's device to download the latest version.
Navigate to the Apple Developer Keys page and click the **+ button** to create a new key.
Complete the key registration form: Name the key (for example “Wallet Push Notifications”), enable **Apple Push Notifications service (APNs)**, then click **Configure** next to APNs to pick the environment.
In the APNs configuration dialog, select **Production** environment (not Sandbox). Production environment is required for wallet passes to receive updates in real-world usage. Click **Save** to confirm this setting.
Apple Developer Portal key registration form with APNs enabled
Click **Continue** to review your key configuration, then click **Register** to create the key. Apple will display your Key ID, this is a critical piece of information you'll need in the next step, so copy it to a safe location.
Click **Download** to save your authentication key file (named `AuthKey_XXXXXXXXXX.p8`).
**Important:** Apple only allows you to download this file once. If you lose it, you'll need to revoke this key and create a new one. Store the downloaded `.p8` file securely—treat it like a password.
{% endstep %}
{% step %}
**Upload APNs key to The Wallet Crew**
Navigate to The Wallet Crew APNs Configuration page.
Complete the APNs configuration form: Paste the **Key ID** you copied from Apple (10 characters) and upload the `AuthKey_XXXXXXXXXX.p8` file you downloaded.
Click **Save** or **Apply** to upload the APNs credentials. The Wallet Crew platform will validate the key and configure push notifications for your tenant.
The Wallet Crew APNs configuration showing Key ID and .p8 file upload
**Configuration complete:** Your Apple Wallet integration is now fully configured. You can create wallet passes, and they will be signed with your certificate and capable of receiving real-time updates via APNs.
{% endstep %}
{% endstepper %}
## Certificate Renewal
Apple Wallet certificates expire annually and must be renewed to continue issuing passes. Apple will send reminder emails before expiration, but you should proactively renew certificates at least two weeks before the expiration date to avoid service interruption.
**Timeline:** Certificate renewal takes approximately 15 minutes. Existing passes in users' wallets continue working during renewal—there's no downtime.
{% stepper %}
{% step %}
**Initiate Certificate Renewal in Apple**
Navigate to the Apple Developer Account and sign in. Select **Certificates, IDs & Profiles** from the left navigation, then click **Certificates**.
Click the **+ button** to create a new certificate. Select **Pass Type ID Certificate** from the list of certificate types, then click **Continue**.
{% endstep %}
{% step %}
**Generate CSR in The Wallet Crew**
1. Open The Wallet Crew admin console and click **Generate CSR**. Even if you have a previous CSR file, you must generate a new one for renewal.
2. Click **Generate CSR** to create a new certificate signing request. Once generation completes, click **Download CSR** to save the file. The filename will be similar to `pass.cloud.thewalletcrew.{yourbrand}.csr`.
The Wallet Crew Apple configuration showing Generate CSR for renewal
The Wallet Crew Apple configuration showing Download CSR for renewal
{% endstep %}
{% step %}
**Upload CSR to Apple and download renewed certificate**
Return to the Apple Developer Portal. In the certificate creation workflow, upload the new CSR file you just downloaded from The Wallet Crew.
Click **Continue** to generate the renewed certificate, then click **Download** to save the new `pass.cer` file.
Apple Developer Portal download screen for the renewed pass certificate
{% endstep %}
{% step %}
**Upload renewed certificate to The Wallet Crew**
Navigate to The Wallet Crew Apple Configuration page. Upload the renewed `pass.cer` certificate file.
Review the new expiration date to confirm it's been extended for another year, then click **Apply Certificate**.
**Renewal complete:** Your certificate is renewed for another year. All existing passes continue working seamlessly, and new passes will be signed with the renewed certificate.
The Wallet Crew Apple configuration showing upload of the renewed certificate and Apply Certificate
{% endstep %}
{% endstepper %}
## FAQ
What is a Pass Type ID and why do I need one?
A Pass Type ID is your issuer identifier in Apple’s ecosystem (for example `pass.com.thewalletcrew.{tenantId}`). It tells Apple and iOS devices which organization is allowed to issue and sign passes, which is why it’s required for any Apple Wallet deployment. Most brands use one Pass Type ID across all their pass types.
What's the difference between a CSR, certificate, and APNs key?
The CSR is a request file generated in The Wallet Crew that you upload to Apple. Apple uses it to generate your signing certificate, which is the credential used to sign every pass. The APNs key is separate. It’s what lets The Wallet Crew authenticate to Apple Push Notification service to trigger updates for passes already installed on devices.
Why do I need a certificate (.cer) and an APNs key (.p8)?
Apple Wallet splits “trust” into two pieces. The `.cer` certificate signs your passes, so devices can verify the pass is authentic and hasn’t been tampered with. The `.p8` APNs key authenticates the push channel, so Apple accepts update notifications for your passes and devices know they should refresh.
How long does Apple Developer Program enrollment take?
For organizations, Apple typically approves enrollment in 2–5 business days. Sometimes they ask for extra verification around your D‑U‑N‑S number or company identity. Once approved, the wallet certificate setup usually takes around 1–2 hours.
Can I use an individual Apple Developer account instead of organization?
You technically can, but it’s rarely a good idea. Individual accounts show a personal name on passes and don’t support the same team workflows. Most businesses should enroll as an organization (same $99/year price).
What happens if my certificate expires?
If the certificate expires, issuing and updating passes can fail. Passes already installed may still display, but they won’t reliably receive updates. Renew at least two weeks before expiration; Apple usually sends reminders about 30 days before.
Do I need to renew the APNs authentication key?
No. APNs keys do not expire, so you don’t renew them. You normally renew only the Pass Type ID certificate each year. If you revoke the APNs key in Apple’s portal, you must create a new one and upload it to The Wallet Crew.
Can I revoke delegated access after initial setup?
Yes. Once everything is configured, you can remove the delegated admin user from App Store Connect and the integration will keep working. Delegation is only needed for initial setup, and it’s optional for renewals.
What if I can't find my Pass Type Identifier in The Wallet Crew console?
You’ll find it on the Apple Configuration page under **Pass Type Identifier**. If it’s empty or errors, contact your point of contact at The Wallet Crew. Your tenant may need a small setup step before Apple configuration is available.
Why must I use "production" APNs environment, not "sandbox"?
Apple Wallet uses the production APNs environment, even for testing. Sandbox is meant for iOS app development, not passes. If you configure sandbox by mistake, push updates won’t work reliably.
How do I know if my configuration is working correctly?
Create a test pass in The Wallet Crew and add it to an iPhone. If it installs and shows your organization name, signing works. Then change a simple field (like a balance or text) and confirm the installed pass refreshes within a few seconds.
What should I do with the .p8 APNs key file after uploading?
Store the `.p8` file like a password, ideally in a password manager or secure document storage. You may need it later for audits, reconfiguration, or if Apple asks you to verify your APNs setup. Don’t commit it to version control and don’t send it over unencrypted email.
Can I use the same Apple Developer account for multiple brands?
Yes, but each brand should use its own Pass Type ID. One Apple Developer account can host multiple Pass Type IDs, each with its own certificate. In The Wallet Crew, each tenant maps to its own Apple configuration.
We already have existing passes. How do we migrate to The Wallet Crew?
This is a **migration** of live passes, not a normal “renewal”.
For Apple, the key constraint is issuer identity. In practice, you keep the **same Pass Type ID**, export the existing pass technical data (like serial number + auth token), then repoint updates to The Wallet Crew.
Follow the dedicated guide: [Move passes to The Wallet Crew](https://docs.thewalletcrew.io/configure/wallet/import-and-export/move-pass-from-and-to-the-wallet-crew/move-passes-to-the-wallet-crew).
If you are leaving The Wallet Crew, use: [Export passes from The Wallet Crew to another provider](https://docs.thewalletcrew.io/configure/wallet/import-and-export/move-pass-from-and-to-the-wallet-crew/export-passes-from-the-wallet-crew-to-another-provider).
