Inquiry About Upcoming Changes to APNs Certificates

What will be the practical impact of these changes on apes apis ?

Once the changeover occurs, APNs will no longer accept the old certificate and you will no longer be able to send push notifications unless your servers have added the new certificate.

What actually needed to be done at trust store for this changes, and how will it affect our current setup?

What specifically needs to be done to install the new certificate to the Trust store will be different for all kinds of OSs and may also be different based on the push application you are using. This is something your server admins will know and should be able to check and configure as necessary.

What steps do we need to take to update the certificates on our servers?

This is something you should ask your server admins.

Thank you for the feedback.

We are using the p8 key for APNs, so this change will apply there as well ?, since certificates are not being used.

Thank you for the feedback.

We are using the p8 key for APNs, so this change will apply there as well ?, since certificates are not being used

Hi @Engineer, As @Japheth_Bandarkar asked, can you clarify if the change of the Certification Authority (CA) for Apple Push Notification service affects p8 Token-Based Connection to APNs. Thank you

Hi @Apple Engineer, We have exact same question but here is no clear information from Apple.

We are also using Token-based connection (p8 key) for APNs, do we need to do any change related to this?

Hi @Engineer, we are as well using the Token-based connection for APNs, p8 key, are we supposed to do any change?

@Engineer I have the same question as everyone else here. Will the p8 key be impact by this change? Your answer is much appreciated!

Hi @Engineer, any update on this topic ?

Hi @Engineer, we are using Firebase Cloud Messaging (FCM) to send push notifications to iOS, are we supposed to do any change?

Hi everyone,

Here's a bunch of information I put together to clarify this topic. I hope it helps anyone looking for a clear explanation.

A first thing you need to know

The SHA-2 Root : USERTrust RSA Certification Authority certificate is a Root "Certificate Authority" Certificate.

How does "Certificate Authority" Certificate work ?

When your server (or any client actually) opens a connection using TLS to another server, a handsake occurs :

• The remote server sends a TLS/SSL certificate issued by a Certificate Authority (CA). This certificate is a proof of remote server identity.
• Your local system check the authenticity of this certificate using a its "Trust Store". This store contains a list of certificate authorities (CA) and their corresponding Root CA Certificates your system can trust. (It is basically like a whitelist.)
• If the receive TLS/SSL certificate has been issued by an authority (CA) your system trust and matches the corresponding Root CA certificate, the connection can carry on. Otherwise it is blocked for obvious security reasons.

So, is this thing related to the way my back-end app/service authenticate to APNs ?

The answer is no, these are 2 different concerns.

There was a lot of confusion these days between the "Certificate-based authentication" to APNS and the "Root CA Certificate". To clarify :

• The SSL certificate issued by Apple is used by your back-end app/service to authenticate to APNs (and also establish a TLS connection).
• The Root CA certificate is used to establish a secured connection to APNs only and prior any authentication.

Read more here : Establishing a certificate-based connection to APNs

Also note that your are maybe using Token (JWT) based authentication. In this case, you haven't performed anything with certificate signing requests and this completely ok. I'm also pretty sure Token based is recommended now.

So what should I do ?

If you are using a third-party service like Firebase, you probably don't have anything to do. The service you are using has probably already handled this.

If you are using your own back-end app/service to communicate with APNs and your hosting solution is PaaS, Serverless (or anything that is a service that manages system configuration for you), you also probably don't have nothing to do. Your hosting service is more likely to update the trusted stores on a regular basis. Otherwise contact your service support as you won't be able to update it yourself.

Finally, if you are using your own back-end app/service and hosting it on a system you manage (like a dedicated server, VPS, etc...), you must :

• Check if the USERTrust RSA Certification Authority certificate is already in your Trust Store.
• If it is included, great you don't have anything to do. Otherwise, you need to add it.

The operation may vary depending on the OS installed on your server. Also note that you may already have this Root CA Certificate installed if your system it is up-to-date.

If you spot any inaccuracies, feel free to share your corrections or additional clarifications in the comments. Thank you!