Apple Push Notification service server certificate update

Question

Engineer OP

Apple

Created Feb ’21

Replies 29

Boosts 0

Views 21k

Participants

On March 29, 2021, token and certificate-based HTTP/2 connections to the Apple Push Notification service must incorporate the new root certificate (AAACertificateServices 5/12/2020) which replaces the old GeoTrust Global CA root certificate.

You can find the full announcement including a link to he new certificate here: https://developer.apple.com/news/?id=7gx0a2lp

Your servers will need the new root certificate in order to be able to trust the APNs servers. To ensure a seamless transition and to avoid push notification delivery failures, verify that both the old and new root certificates for the HTTP/2 interface are included in the Trust Store of each of your notification servers before March 29.

You can add the new root certificate to your Trust Store at any point before the deadline, and do not have to wait until March 29th to do so.

Note that Apple Push Notification service SSL provider certificates issued to you by Apple DO NOT need to be updated at this time.

Please respond in this thread if you have further questions.

Boost

Answer 1

awaisfayyaz17.apple OP

Feb ’21

"verify that both the old and new root certificates for the HTTP/2 interface are included in the Trust Store of each of your notification servers before March 29"

How can i verify that the required certificates (AAACertificateServices) are included in the Trust store of my backend server?

My backend server's OS is Ubuntu 18.04.3 LTS.

1

Answer 2

sviluppobtm OP

Feb ’21

Question: I use Axway platform do send push notifications. The way to do it is to convert my Apple Push Notification certificate in p12 format on my Mac and then load it on the Axway online dashboard.
This morning I created a new Apple Push Notification certificate (the old one expires in a few days), I downloaded and installed it in my keychain, then I downloaded and installed the "AAA certificate services" and then I created the new P12 certificate for the Axway dashboard. Is it enough? How can I check if my new p12 certificate has or not the root "AAA certificate services"? Thank you in advance

1

Answer 3

Nikitkirik OP

Feb ’21

It seems that I have the same situation as @ds_wrg: we are using npm package to connect to APN on our server-side with a .p8 file and not using any certificates.

The package we use:
https://github.com/node-apn/node-apn#readme

It is “Based on HTTP/2 based provider API”.
And we use, if I understand correctly, token-based authentication way. I.e to create a new connection we use such such kind of data only:

Code Block token: {  key: "path/to/APNsAuthKey_XXXXXXXXXX.p8",  keyId: "key-id",  teamId: "developer-team-id"},

So the question:
1) do these “root certificates” changes affect us in any way?
2) And if so, what and where should be changed for us ?"

2

Answer 4

rgiffords OP

Feb ’21

I have the same question others have asked - we are using the JWT token approach to authenticate when sending notifications. During that process we use a .p8 file to help generate the token. The information about the changes we received from Apple clearly indicates token connections are affected ("On March 29, 2021, token and certificate-based HTTP/2 connections to the Apple Push Notification service must incorporate the new root certificate ..."), but it's not clear how.

2

Answer 5

awaisfayyaz17.apple OP

Feb ’21

@sal_from_new_york

Thanks for replying. I will tell my server guy to check that the certificates in locations you mentioned on our ubuntu server.

/etc/ssl/certs/
or /etc/ssl/certs/ca-certificates.crt

If it's not there, i think we are supposed to place the certificate there. the AAA cert can be downloaded from Sectigo knowledge base website as mentioned in the update. for some reason, i can't paste the link here. it says the URL can't be included.

Thanks

1

Answer 6

frittchoff OP

Feb ’21

@sal_from_new_york where did you get this information? Im using ubuntu 20.04 LTS, should be pretty updated but can't find the AAACertificateServices Root CA, only the other two found in the sertigo link: USERTrustRSAAAACA 5/12/2020
COMODORSAAAACA 5/12/2020. I wonder if this is enough. I dont know how to test if this is enough

0

Answer 7

awaisfayyaz17.apple OP

Feb ’21

@sal

Thank you very much for posting the TSI and submitting a detailed response here.
Much appreciated!

0

Answer 8

atomhax OP

Mar ’21

We have the new cert installed on our server however when we try to connect using:
~$ openssl s_client -showcerts -connect api.sandbox.push.apple.com:443

We get the following

Code Block CONNECTED(00000003)depth=1 CN = Apple Public Server RSA CA 12 - G1, O = Apple Inc., ST = California, C = USverify error:num=20:unable to get local issuer certificateverify return:0---Certificate chain 0 s:/CN=api.development.push.apple.com/OU=management:idms.group.533599/O=Apple Inc./ST=California/C=US   i:/CN=Apple Public Server RSA CA 12 - G1/O=Apple Inc./ST=California/C=US-----BEGIN CERTIFICATE-----.........

This line:
unable to get local issuer certificate

is what concerns me.. What are we doing wrong here?

0

Answer 9

atomhax OP

Mar ’21

Also this line concerns me more and may have more clues as to the problem:

@@ X��HTTP/2 client preface string missing or corrupt. Hex dump for received bytes: 0aread:errno=0

Can anyone help direct me on this matter? I'm an iOS dev so I'm not used to handling these types of issues.

0

Answer 10

hrudhayd OP

Mar ’21

@sal_from_new_york I actually copied all the three new certs to /etc/ssl/certs/.

Do i have to run "update-ca-certificates" to make sure they are updated?

Thanks in advance

1