About APNS certificate replacement

I received an email from Apple saying that I needed to replace the APNS certificate. I am inquiring because I am curious about who has the relevant authority and who actually makes the changes. Could you please provide specific guidance on this?

Hello,
We’re reaching out with a final reminder that the Certification Authority (CA) for Apple Push Notification service (APNs) is changing. APNs updated the server certificates in sandbox on January 21, 2025. APNs production server certificates will be updated on February 24, 2025. To continue using APNs without interruption, you’ll need to update your application’s Trust Store to include the new server certificate: SHA-2 Root: USERTrust RSA Certification Authority certificate. 
To ensure a smooth transition and avoid push notification delivery failures, please make sure that both old and new server certificates are included in the Trust Store before the cut-off date for each of your application servers that connect to sandbox and production. At this time, you don’t need to update the APNs SSL provider certificates issued to you by Apple.
If you have any questions, please contact us. 
The Apple Developer Relations Team 
Answered by Engineer in 825421022

This change will need to be done by the people or teams that are responsible for maintaining your push server - the server that actually connects to APNs and sends the push notifications.

Unfortunately we cannot provide specific instructions on how to install this root certificate on your push servers. Each server operating system and push server software will have different ways these root certificates are installed, which is out of scope of our support abilities.

I also want to clarify that this certificate has nothing to do with your app or your APNs keys or certificates you may be using to authenticate your push requests. This is a TLS certificate that needs to be installed on the server in order for it to create a https connection to APNs.

If you are not sure how to do this, I would recommend you seek help for this from your server-side developers or server admins.

Or, if you don't have access to such resources, you can ask the support channels for your system the question: How do I install a root certificate?

The new root certificate is already active in the APNs development environment. You can test that the new certificate is installed correctly by trying to send a development push notification to api.sandbox.push.apple.com:443


Argun Tekant /  DTS Engineer / Core Technologies

This change will need to be done by the people or teams that are responsible for maintaining your push server - the server that actually connects to APNs and sends the push notifications.

Unfortunately we cannot provide specific instructions on how to install this root certificate on your push servers. Each server operating system and push server software will have different ways these root certificates are installed, which is out of scope of our support abilities.

I also want to clarify that this certificate has nothing to do with your app or your APNs keys or certificates you may be using to authenticate your push requests. This is a TLS certificate that needs to be installed on the server in order for it to create a https connection to APNs.

If you are not sure how to do this, I would recommend you seek help for this from your server-side developers or server admins.

Or, if you don't have access to such resources, you can ask the support channels for your system the question: How do I install a root certificate?

The new root certificate is already active in the APNs development environment. You can test that the new certificate is installed correctly by trying to send a development push notification to api.sandbox.push.apple.com:443


Argun Tekant /  DTS Engineer / Core Technologies

Hello,

I'd like to share that the IP address mentioned in Developer forum post 17.188.143.34:443 is not the one which responds to api.sandbox.push.apple.com:443 address. I found out the hard way so I am sharing it with others.

The actual IP address can be found using 3rd-party services which show the information about server's SSL certificate like sslshopper[dot]com. I'll put the one I discovered using this method here for convenience:

  • 17.188.143.66

I hope the official post will get updated though 🤞🏻

the IP address mentioned in Developer forum post 17.188.143.34:443 is not the one which responds to api.sandbox.push.apple.com:443 address

Right. It's a test server, set up temporarily so that you can check that you have done your certificate replacement correctly. Quoting the linked post:

We have setup a test server at 17.188.143.34:443 that you can use to try and send pushes to test whether your new root certificate is correctly installed.

I think the IP address you've given is probably for the live server.

About APNS certificate replacement
 
 
Q