Apple Push Notification service server certificate

Do we need this new certificate "SHA-2 Root : USERTrust RSA Certification Authority certificate" if we are using token based authentication with APNs? We are signing the JWT with the private Auth key?

Or is the new certificate needed on top of this? We are doing something like this:

Dictionary<string, object> payload = new Dictionary<string, object>() { { "iss", teamId }, // Apple Developer Team ID { "iat", unixTimestamp } // Issued-at time };

Dictionary<string, object> header = new Dictionary<string, object>() { { "alg", "ES256" }, { "kid", keyId } // Key ID from Apple Developer portal };

string token = JWT.Encode(payload, privateKey, JwsAlgorithm.ES256, header);

Yes, this certificate is still needed. This is a certificate that enables to create a secure connection to APNs hosts and is needed regardless of your authentication method being an APNs key or APNs certificate.

The new root certificate is already active in the APNs development environment. You can test that the new certificate is installed correctly by trying to send a development push notification to api.sandbox.push.apple.com:443


Argun Tekant /  DTS Engineer / Core Technologies

Hi Argun,

Thank you for your quick response and detailed explanation.

One question for clarification: I attempted to test the sandbox endpoint (api.sandbox.push.apple.com) by sending push notifications, and I noticed that push notifications were still successfully delivered even after I removed both the old AAA Certificate Services root CA and the new SHA-2 Root: USERTrust RSA Certification Authority certificate from my provider server.

To properly validate that the new certificate is required and working as intended, I’d like to understand the best approach. Specifically:

How can I ensure that the absence of the new certificate prevents notifications, and its presence enables them? Are there additional steps required to configure my environment for this validation? I want to ensure that the new certificate is installed and functioning correctly before the production cut-off date.

Thank you for your guidance!

Best regards,

Do Hyung

I can't comment on how you can specifically test on your servers as I don't know how they are setup.

Perhaps the new certificate (which is not unique to APNs) has already been installed and present on the server, and when you removed the newly installed copy, it did not make a difference.

It was due to how Windows handles root certificates. Even after removing both certificates, notifications still worked because Windows automatically manages root certificates through its Trusted Root Certificate Program. Once I explicitly disabled the certificate purposes for the AAA Certificate Services certificate, push notifications stopped working, confirming the dependency. Thanks for the help.

Apple Push Notification service server certificate
 
 
Q