Questions regarding "Action Required: Apple Push Notification Service Server Certificate Update"

Hello, I have a couple of questions regarding the change of the Certification Authority (CA) for Apple Push Notification service (APNs) and I will be grateful for any answers.

  1. Does it require only making sure the server machine has the SHA-2 Root: USERTrust RSA Certification Authority certificate included in Trust Store (/etc/ssl/certs/USERTrust_RSA_Certification_Authority.pem with SHA256: 8a3dbcb92ab1c6277647fe2ab8536b5c982abbfdb1f1df5728e01b906aba953a) ?

  2. Should the Certificate Signing Request be updated (that one that is uploaded to https://identity.apple.com/pushcert/) ?

  3. Does it have any connection with the certificates that are created on https://identity.apple.com/pushcert/ ?

  4. Is the push type "mdm" affected too?

  5. Which certificate should be added and where specifically? Is it for Certificate Signing Request to https://identity.apple.com/pushcert/ or the certificate that is generated on https://developer.apple.com/account/resources/certificates/list or like mentioned in the first question?

  6. Can a certificate for sandbox environment be created on https://identity.apple.com/pushcert/ ?

Thank you for any help.

Answered by DanN3 in 824681022

I found this other forum thread which might be relevant. https://developer.apple.com/forums/thread/774009?answerId=824326022#824326022

Accepted Answer

I found this other forum thread which might be relevant. https://developer.apple.com/forums/thread/774009?answerId=824326022#824326022

Just to clarify, the action required involves the root certificate for any server that is directly connecting to APNs and creating an https connection.

No other certificates are involved and there is no need to change anything else, or make a new certificate signing request.

And yes, this involves ALL push types, including mdm


Argun Tekant /  DTS Engineer / Core Technologies

Thank you a lot for your answers, that makes it more clear!

The new root certificate is installed on the server. I have switched to using sandbox environment to test if it would be working but I get error:

"reason":"BadCertificateEnvironment"

does it mean that the root certificate is not installed correctly or that is a different issue?

Questions regarding "Action Required: Apple Push Notification Service Server Certificate Update"
 
 
Q