Certificate Setup Guide

Required for Pro & Business plans to distribute passes under your own brand

5 min
Setup Time
$99
Apple Dev Program / yr
HSM
Your Key Is Vault-Protected

Why You Need a Certificate

Apple requires every business distributing Wallet passes to sign them with their own certificate. This proves to Apple (and your customers) that the pass is authentic and hasn't been tampered with.

PassThru stores your certificate in Azure Key Vault (HSM-backed, FIPS 140-2 Level 2). Your private signing key is never exposed — all signing happens inside the vault.

1

Join the Apple Developer Program

If you don't already have one, enroll at developer.apple.com/programs. The cost is $99/year, paid directly to Apple.

If you already have an Apple Developer account (for apps, etc.), you're good — skip to Step 2.

2

Create a Pass Type ID

  1. Go to Certificates, Identifiers & Profiles
  2. Click Identifiers in the sidebar
  3. Click the + button
  4. Select Pass Type IDs and click Continue
  5. Enter a description (e.g., "My Business Loyalty Card") and an identifier (e.g., pass.com.yourbusiness.loyalty)
  6. Click Register
3

Create a Pass Signing Certificate

  1. Go to Certificates
  2. Click the + button
  3. Under Services, select Pass Type ID Certificate and click Continue
  4. Select the Pass Type ID you just created and click Continue
  5. Follow the instructions to create a Certificate Signing Request (CSR) using Keychain Access on your Mac:
    • Open Keychain Access (Applications → Utilities)
    • Go to Keychain Access → Certificate Assistant → Request a Certificate from a Certificate Authority
    • Enter your email, leave CA Email blank, select Saved to disk
    • Save the .certSigningRequest file
  6. Upload the CSR file to Apple
  7. Download the generated .cer certificate
4

Export as .p12 File

  1. Double-click the downloaded .cer file to add it to Keychain Access
  2. In Keychain Access, find the certificate under My Certificates (look for "Pass Type ID: pass.com.yourbusiness...")
  3. Right-click the certificate → Export
  4. Choose .p12 format
  5. Set a password (you'll need this when uploading to PassThru)
  6. Save the file
Keep this file safe. The .p12 contains your private signing key. Never share it publicly or commit it to a repository.
5

Upload to PassThru

  1. Log in to the PassThru Dashboard
  2. Go to Settings → Certificate
  3. Click Upload Certificate
  4. Select your .p12 file and enter the password you set
  5. PassThru will securely store your certificate in Azure Key Vault

Once uploaded, all passes you generate will be signed with your certificate under your brand. Your private key is stored in HSM-backed Azure Key Vault and never leaves the vault — all signing happens remotely.

Frequently Asked Questions

Do I need a Mac to create the certificate?

You need a Mac for the CSR generation (Keychain Access) and .p12 export. If you don't have a Mac, contact us at support@passthru.dev and we can help with alternative methods.

How long does the certificate last?

Apple Pass certificates are valid for 1 year. PassThru can auto-renew them for you before they expire — no manual intervention needed.

Can I use the same certificate for multiple pass types?

Each Pass Type ID gets its own certificate. If you want different pass types (e.g., loyalty + event tickets), create separate Pass Type IDs and certificates.

What happens to my certificate in PassThru?

Your certificate is stored in Azure Key Vault with HSM-backed encryption (FIPS 140-2 Level 2). The private key never leaves the vault — PassThru signs passes remotely via the Key Vault CryptographyClient. Even our own engineers cannot extract your private key.

Can I use the free tier without a certificate?

Yes. Free tier passes are signed with PassThru's demo certificate and show "PassThru" branding. They work perfectly for testing and prototyping. When you're ready to go live with your own brand, upgrade and upload your cert.

Need Help?

Contact us at support@passthru.dev — we'll walk you through it.