How should I manage iOS certificates and keys with contract developers?

Question

I have an iPhone app that was built with by a contract developer (Dev 1). Dev 1 gave me copies of all the certificates and keys that were used to sign and publish the app:

Dev 1 is no longer working on this project and I've moved on to another developer (Dev 2).

My questions are:

1. Is there any security risk with Dev 1 still having copies of all these certificates/keys? If I revoke his access to the company Apple Developer Program account can he do anything with them?
2. Which certificates/keys are needed by Dev 2 to be able to sign and publish an update to the app?
3. Obviously in a best-case situation Dev 1 would have kept developing the app indefinitely. But in the case where there are Devs 1, 2, 3 etc (successively working on the app), what is considered the best practice for the safe handling of keys and certificates for publishing? Especially if the company itself doesn't have the expertise (or a Mac!) to publish the app to the App Store in-house?

Answer 1

If you contract out to a developer, add him to your own developer account. This way you keep control of certificates and keys.