Provisioning and Development
Development and Production Environments
To develop and deploy the provider side of a client/server application, you must get SSL certificates from the appropriate Dev Center. Each certificate is limited to a single application, identified by its bundle ID. Each certificate is also limited to one of two development environments, each with its own assigned hostname:
Development: Use the development environment for initial development and testing of the provider application. It provides the same set of services as the production environment, although with a smaller number of server units. The development environment also acts as a virtual device, enabling simulated end-to-end testing.
You access the development environment at
gateway.sandbox.push.apple.com, outbound TCP port 2195.
Production: Use the production environment when building the production version of the provider application. Applications using the production environment must meet Apple’s reliability requirements.
You access the production environment at
gateway.push.apple.com, outbound TCP port 2195.
You must get separate certificates for the development environment and the production environment. The certificates are associated with an identifier of the application that is the recipient of push notifications; this identifier includes the application’s bundle ID. When you create a provisioning profile for one of the environments, the requisite entitlements are automatically added to the profile, including the entitlement specific to push notifications,
<aps-environment>. The two provisioning profiles are called Development and Distribution. The Distribution provisioning profile is a requirement for submitting your application to the App Store.
You can determine in Xcode which environment you are in by the selection of a code-signing identity. If you see an “iPhone Developer: Firstname Lastname” certificate/provisioning profile pair, you are in the development environment. If you see an “iPhone Distribution: Companyname” certificate/provisioning profile pair, you are in the production environment. It is a good idea to create a Distribution release configuration in Xcode to help you further differentiate the environments.
Although an SSL certificate is not put into a provisioning profile, the
<aps-environment> is added to the profile because of the association of the certificate and a particular application ID. As a result this entitlement is built into the application, which enables it to receive push notifications.
In the iOS Developer Program, each member on a development team has one of three roles: team agent, team admin, and team member. The roles differ in relation to iPhone development certificates and provisioning profiles. The team agent is the only person on the team who can create Development SSL certificates and Distribution (Production) SSL certificates. The team admin and the team agent can both create both Development and Distribution provisioning profiles. Team members may only download and install certificates and provisioning profiles. The procedures in the following sections make reference to these roles.
Creating the SSL Certificate and Keys
In the provisioning portal of the iOS Dev Center, the team agent selects the application IDs for APNs. He also completes the following steps to create the SSL certificate:
Click App IDs in the sidebar on the left side of the window.
The next page displays your valid application IDs. An application ID consists of an application’s bundle ID prefixed with a ten-character code generated by Apple. The team admin must enter the bundle ID. For a certificate, it must incorporate a specific bundle ID; you cannot use a “wildcard” application ID.
Locate the application ID for the development SSL certificate (and that is associated with the Development provisioning profile) and click Configure.
You must see “Available” under the Apple Push Notification Service column to configure a certificate for this application ID.
In the Configure App ID page, check the Enable Push Notification Services box and click the Configure button.
Clicking this button launches an APNs Assistant, which guides you through the next series of steps.
The first step requires that you launch the Keychain Access application and generate a Certificate Signing Request (CSR).
Follow the instructions presented in the assistant. When you are finished generating a CSR, click Continue in Keychain Access to return to the APNs Assistant.
When you create a CSR, Keychain Access generates a private and a public cryptographic key pair. The private key is put into your Login keychain by default. The public key is included in the CSR sent to the provisioning authority. When the provisioning authority sends the certificate back to you, one of the items in that certificate is the public key.
In the Submit Certificate Signing Request pane, click Choose File. Navigate to the CSR file you created in the previous step and select it.
Click the Generate button.
While displaying the Generate Your Certificate pane, the Assistant configures and generates your Client SSL Certificate. If it succeeds, it displays the message “Your APNs Certificate has been generated.” Click Continue to proceed to the next step.
In the next pane, click the Download Now button to download the certificate file to your download location. Navigate to that location and double-click the certificate file (which has an extension of
cer) to install it in your keychain. When you are finished, click Done in the APNs Assistant.
Double-clicking the file launches Keychain Access. Make sure you install the certificate in your login keychain on the computer you are using for provider development. In Keychain Access, ensure that your certificate user ID matches your application’s bundle ID. The APNs SSL certificate should be installed on your notification server.
When you finish these steps you are returned to the Configure App ID page of the iOS Dev Center portal. The certificate should be badged with a green circle and the label “Enabled”.
To create a certificate for the production environment, repeat the same procedure but choose the application ID for the production certificate.
Creating and Installing the Provisioning Profile
The Team Admin or Team Agent must next create the provisioning profile (Development or Distribution) used in the server side of remote-notification development. The provisioning profile is a collection of assets that associates developers of an application and their devices with an authorized development team and enables those devices to be used for testing. The profile contains certificates, device identifiers, the application’s bundle ID, and all entitlements, including
<aps-environment>. All team members must install the provisioning profile on the devices on which they will run and test application code.
To download and install the provisioning profile, team members should complete the following steps:
Go to the provisioning portal in the iOS Dev Center.
Create a new provisioning profile that contains the App ID you registered for APNs.
Modify any existing profile before you download the new one.
You have to modify the profile in some minor way (for example, toggle an option) for the portal to generate a new provisioning profile. If the profile isn’t so “dirtied,” you’re given the original profile without the push entitlements.
From the download location, drag the profile file (which has an extension of
mobileprovision) onto the Xcode or iTunes application icons.
Alternatively, you can move the profile file to
~/Library/MobileDevice/Provisioning Profiles. Create the directory if it does not exist.
Verify that the entitlements in the provisioning-profile file are correct. To do this, open the
.mobileprovisionfile in a text editor. The contents of the file are structured in XML. In the Entitlements dictionary locate the
aps-environmentkey. For a development provisioning profile, the string value of this key should be
development; for a distribution provisioning profile, the string value should be
In the Xcode Organizer window, go the Provisioning Profiles section and install the profile on your device.
When you build the project, the binary is now signed by the certificate using the private key.
Installing the SSL Certificate and Key on the Server
You should install the SSL distribution certificate and private cryptographic key you obtained earlier on the server computer on which the provider code runs and from which it connects with the development or production versions of APNs. To do so, complete the following steps:
Open Keychain Access utility and click the My Certificates category in the left pane.
Find the certificate you want to install and disclose its contents.
You’ll see both a certificate and a private key.
Select both the certificate and key, choose File > Export Items, and export them as a Personal Information Exchange (.p12) file.
Servers implemented in languages such as Ruby and Perl often are better able to deal with certificates in the Personal Information Exchange format. To convert the certificate to this format, complete the following steps:
In KeyChain Access, select the certificate and choose File > Export Items. Select the Personal Information Exchange (.p12) option, select a save location, and click Save.
Launch the Terminal application and enter the following command after the prompt:
openssl pkcs12 -inCertificateName
.pemcertificate to the new computer and install it in the appropriate place.