Ensure a valid push profile is active, creating a new one if needed (via pem)

Automatically generate and renew your push notification profiles

Tired of manually creating and maintaining your push notification profiles for your iOS apps? Tired of generating a pem file for your server?

pem does all that for you, just by simply running pem.

pem creates new .pem, .cer, and .p12 files to be uploaded to your push server if a valid push notification profile is needed. pem does not cover uploading the file to your server.

To automate iOS Provisioning profiles you can use match.

FeaturesUsageHow does it work?TipsNeed help?

pem is part of fastlane: The easiest way to automate beta deployments and releases for your iOS and Android apps.


Well, it's actually just one: Generate the pem file for your server.

Check out this gif:



fastlane pem

Yes, that's the whole command!

This does the following:

  • Create a new signing request
  • Create a new push certification
  • Downloads the certificate
  • Generates a new .pem file in the current working directory, which you can upload to your server

Note that pem will never revoke your existing certificates. pem can't download any of your existing push certificates, as the private key is only available on the machine it was created on.

If you already have a push certificate enabled, which is active for at least 30 more days, pem will not create a new certificate. If you still want to create one, use the force:

fastlane pem --force

You can pass parameters like this:

fastlane pem -a -u username

If you want to generate a development certificate instead:

fastlane pem --development

If you want to generate a Website Push certificate:

fastlane pem --website_push

Set a password for your p12 file:

fastlane pem -p "MyPass"

You can specify a name for the output file:

fastlane pem -o my.pem

To get a list of available options run:

fastlane action pem

Note about empty p12 passwords and Keychain

pem will produce a valid p12 without specifying a password, or using the empty-string as the password. While the file is valid, the Mac's Keychain Access will not allow you to open the file without specifying a passphrase.

Instead, you may verify the file is valid using OpenSSL:

openssl pkcs12 -info -in my.p12

If you need the p12 in your keychain, perhaps to test push with an app like Knuff or Pusher, you can use openssl to export the p12 to pem and back to p12:

% openssl pkcs12 -in my.p12 -out my.pem
Enter Import Password:
  <hit enter: the p12 has no password>
MAC verified OK
Enter your pem passphrase:
  <enter a temporary password to encrypt the pem file>

% openssl pkcs12 -export -in my.pem -out my-with-passphrase.p12
Enter pass phrase for temp.pem:
  <enter the temporary password to decrypt the pem file>

Enter Export Password:
  <enter a password for encrypting the new p12 file>

Environment Variables

Run fastlane action pem to get a list of available environment variables.

How does it work?

pem uses spaceship to communicate with the Apple Developer Portal to request a new push certificate for you.

How is my password stored?

pem uses the password manager from fastlane. Take a look the CredentialsManager README for more information.

Supported platforms ios, mac
Author @KrauseFx

3 Examples

pem # alias for "get_push_certificate"
  force: true, # create a new profile, even if the old one is still valid
  app_identifier: "net.sunapps.9", # optional app identifier,
  save_private_key: true,
  new_profile: proc do |profile_path| # this block gets called when a new profile was generated
    puts profile_path # the absolute path to the new PEM file
    # insert the code to upload the PEM file to the server


Key Description Default
platform Set certificate's platform. Used for creation of production & development certificates. Supported platforms: ios, macos ios
development Renew the development push certificate instead of the production one false
website_push Create a Website Push certificate false
generate_p12 Generate a p12 file additionally to a PEM file true
active_days_limit If the current certificate is active for less than this number of days, generate a new one 30
force Create a new push certificate, even if the current one is active for 30 (or PEM_ACTIVE_DAYS_LIMIT) more days false
save_private_key Set to save the private RSA key true
app_identifier The bundle identifier of your app *
username Your Apple ID Username *
team_id The ID of your Developer Portal team if you're in multiple teams *
team_name The name of your Developer Portal team if you're in multiple teams *
p12_password The password that is used for your p12 file
pem_name The file name of the generated .pem file
output_path The path to a directory in which all certificates and private keys should be stored .
new_profile Block that is called if there is a new profile

* = default value is dependent on the user's system


To show the documentation in your terminal, run

fastlane action get_push_certificate


It is recommended to add the above action into your Fastfile, however sometimes you might want to run one-offs. To do so, you can run the following command from your terminal

fastlane run get_push_certificate

To pass parameters, make use of the : symbol, for example

fastlane run get_push_certificate parameter1:"value1" parameter2:"value2"

It's important to note that the CLI supports primitive types like integers, floats, booleans, and strings. Arrays can be passed as a comma delimited string (e.g. param:"1,2,3"). Hashes are not currently supported.

It is recommended to add all fastlane actions you use to your Fastfile.

Source code

This action, just like the rest of fastlane, is fully open source, view the source code on GitHub

Back to actions