Apple Push Notification service server certificate

App & System Services Notifications
dohyung OP
Created Jan ’25
Replies 4
Boosts 1
Views 527
Participants 2

Do we need this new certificate "SHA-2 Root : USERTrust RSA Certification Authority certificate" if we are using token based authentication with APNs? We are signing the JWT with the private Auth key?

Or is the new certificate needed on top of this? We are doing something like this:

Dictionary<string, object> payload = new Dictionary<string, object>() { { "iss", teamId }, // Apple Developer Team ID { "iat", unixTimestamp } // Issued-at time };

Dictionary<string, object> header = new Dictionary<string, object>() { { "alg", "ES256" }, { "kid", keyId } // Key ID from Apple Developer portal };

string token = JWT.Encode(payload, privateKey, JwsAlgorithm.ES256, header);

Replies  4
Boosts  1
Views  527
Participants  2
Engineer OP
Apple
Jan ’25

Yes, this certificate is still needed. This is a certificate that enables to create a secure connection to APNs hosts and is needed regardless of your authentication method being an APNs key or APNs certificate.

The new root certificate is already active in the APNs development environment. You can test that the new certificate is installed correctly by trying to send a development push notification to api.sandbox.push.apple.com:443

Argun Tekant /  DTS Engineer / Core Technologies

0
dohyung OP
Jan ’25

Hi Argun,

Thank you for your quick response and detailed explanation.

One question for clarification: I attempted to test the sandbox endpoint (api.sandbox.push.apple.com) by sending push notifications, and I noticed that push notifications were still successfully delivered even after I removed both the old AAA Certificate Services root CA and the new SHA-2 Root: USERTrust RSA Certification Authority certificate from my provider server.

To properly validate that the new certificate is required and working as intended, I’d like to understand the best approach. Specifically:

How can I ensure that the absence of the new certificate prevents notifications, and its presence enables them? Are there additional steps required to configure my environment for this validation? I want to ensure that the new certificate is installed and functioning correctly before the production cut-off date.

Thank you for your guidance!

Best regards,

Do Hyung

0
Engineer OP
Apple
Jan ’25

I can't comment on how you can specifically test on your servers as I don't know how they are setup.

Perhaps the new certificate (which is not unique to APNs) has already been installed and present on the server, and when you removed the newly installed copy, it did not make a difference.

0
dohyung OP
3w

It was due to how Windows handles root certificates. Even after removing both certificates, notifications still worked because Windows automatically manages root certificates through its Trusted Root Certificate Program. Once I explicitly disabled the certificate purposes for the AAA Certificate Services certificate, push notifications stopped working, confirming the dependency. Thanks for the help.

0
Apple Push Notification service server certificate
First post date Last post date
 
 
Q