Secure your communications with APNs by installing a certificate on your provider server.
With certificate-based authentication, you use a provider certificate to establish a secure connection between your provider server and APNs. You obtain this certificate from Apple through your developer account.
Because trust is established at the server-level, individual notification requests contain only your payload and a device token. They don't include an authentication token, which reduces the size of each notification request slightly.
You can use a provider certificate to send notifications to a single app, or to the Apple Watch complication or background VoIP services associated with that app. To send remote notifications to multiple apps, you must create separate certificates for each app. You must also manage separate APNs connections for each app’s notifications. As a result, it is often simpler to use token-based authentication to support multiple apps.
Obtain a Provider Certificate from Apple
You obtain a provider certificate from your developer account on developer.apple.com. In the certificates section:
Add a new certificate.
Select Apple Push Notification service SSL (Sandbox & Production) for the type and click Continue.
Select the App ID of your app and click Continue. (Certificates must be tied to a specific app.)
Generate a Certificate Signing Request (CSR) on your server.
Upload your CSR file and click Continue.
Download the resulting certificate.
Tie a different provider certificate to each app, whose App ID you specify when creating the certificate. You must also tie your certificate to a Certificate Signing Request (CSR), which is the private key used to encrypt the certificate. The certificate itself becomes the public key that you exchange with APNs.
Install both the certificate and the private key on your provider server. In macOS, double-clicking the certificate installs it in Keychain Access automatically. If you created your CSR file from your provider server, Keychain Access installs the key in your keychain automatically.
Establish Trust with APNs
With your certificates installed, Figure 2 shows the sequence of steps that occur when you open a connection to the APNs server. After requesting a secure connection using transport layer security (TLS), APNs responds by sending over a certificate for your provider server to validate. After validating that certificate, you send your provider certificate back to APNs, which validates it and completes the secure connection. After that, you can begin sending remote notification requests to APNs.
If you think your certificate or private key has been compromised, you can revoke your certificate from your developer account. APNs maintains a list of revoked certificates, and it refuses TLS connections from servers whose certificates are on that list. If your server is using a revoked certificate, close all existing connections to APNs and configure a new provider certificate for your server before opening any new connections.