We offer a white-glove concierge setup — $299 one-time. Book a screenshare and we handle every Apple-portal step with you watching.
Why You Need a Certificate
Apple requires every business distributing Wallet passes to sign them with their own certificate. This proves to Apple (and your customers) that the pass is authentic and hasn't been tampered with.
PassThru stores your certificate in Azure Key Vault (HSM-backed, FIPS 140-2 Level 2). Your private signing key is never exposed — all signing happens inside the vault.
Step 1 — Join the Apple Developer Program
If you don't already have one, enroll at developer.apple.com/programs. The cost is $99/year, paid directly to Apple.
If you already have an Apple Developer account (for apps, etc.), you're good — skip to Step 2.
Step 2 — Create a Pass Type ID
- Go to Certificates, Identifiers & Profiles
- Click Identifiers in the sidebar
- Click the + button
- Select Pass Type IDs and click Continue
- Enter a description (e.g., "My Business Loyalty Card") and an identifier (e.g.,
pass.com.yourbusiness.loyalty) - Click Register
Step 3 — Create a Pass Signing Certificate
- Go to Certificates
- Click the + button
- Under Services, select Pass Type ID Certificate and click Continue
- Select the Pass Type ID you just created and click Continue
- Follow the instructions to create a Certificate Signing Request (CSR) using Keychain Access on your Mac:
- Open Keychain Access (Applications → Utilities)
- Go to Keychain Access → Certificate Assistant → Request a Certificate from a Certificate Authority
- Enter your email, leave CA Email blank, select Saved to disk
- Save the
.certSigningRequestfile
- Upload the CSR file to Apple
- Download the generated
.cercertificate
Step 4 — Export as .p12 File
- Double-click the downloaded
.cerfile to add it to Keychain Access - In Keychain Access, find the certificate under My Certificates (look for "Pass Type ID: pass.com.yourbusiness...")
- Right-click the certificate → Export
- Choose .p12 format
- Set a password (you'll need this when uploading to PassThru)
- Save the file
The .p12 contains your private signing key. Never share it publicly or commit it to a repository.
Step 5 — Upload to PassThru
- Log in to the PassThru Dashboard
- Go to Settings → Certificate
- Click Upload Certificate
- Select your
.p12file and enter the password you set - PassThru will securely store your certificate in Azure Key Vault
Once uploaded, all passes you generate will be signed with your certificate under your brand. Your private key is stored in HSM-backed Azure Key Vault and never leaves the vault — all signing happens remotely.
Frequently Asked Questions
Do I need a Mac to create the certificate?
You need a Mac for the CSR generation (Keychain Access) and .p12 export. If you don't have a Mac, contact us at support@passthru.dev and we can help with alternative methods.
How long does the certificate last?
Apple Pass certificates are valid for 1 year. PassThru can auto-renew them for you before they expire — no manual intervention needed.
Can I use the same certificate for multiple pass types?
Each Pass Type ID gets its own certificate. If you want different pass types (e.g., loyalty + event tickets), create separate Pass Type IDs and certificates.
What happens to my certificate in PassThru?
Your certificate is stored in Azure Key Vault with HSM-backed encryption (FIPS 140-2 Level 2). The private key never leaves the vault — PassThru signs passes remotely via the Key Vault CryptographyClient. Even our own engineers cannot extract your private key.
Can I use the free tier without a certificate?
Yes. Free tier passes are signed with PassThru's demo certificate and show "PassThru" branding. They work perfectly for testing and prototyping. When you're ready to go live with your own brand, upgrade and upload your cert.
Need Help?
Contact us at support@passthru.dev — we'll walk you through it. Or book the concierge setup and skip the whole thing.