I issued my own CA certificate to enable https for my development environment.
On my Windows PC i was able to add my root CA. On iOS i can install it and it shows that it is verified but when i go to General -> About -> Certificate Trust Settings the certificate does not show up.
Some information about the root CA.
Input:
openssl x509 -in ca.pem -text -noout
Output:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
[...]
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = Some-Country, ST = Some-State, O = Some-Company
Validity
Not Before: Jul 7 18:45:56 2022 GMT
Not After : Jul 4 18:45:56 2032 GMT
Subject: C = Some-Country, ST = Some-State, O = Some-Company
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (4096 bit)
Modulus:
[...]
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
[...]
X509v3 Authority Key Identifier:
keyid:[...]
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
[...] ```
My mistake was that the root CA I created was valid for 10 years. Since 1st September 2020 Apple limits the validity period to a maximum of 397 days.
Source: https://support.apple.com/en-us/HT211025
Related
I want to verify whether the Apple p12 certificate is revoked.
Verify through OpenSSL, but the failure rate
Responder Error: unauthorized (6)
openssl s_client -connect ocsp.apple.com:443 2>&1 < /dev/null | sed -n '/-----BEGIN/,/-------END/p' > cert.pem
openssl s_client -showcerts -connect ocsp.apple.com:443 < /dev/null 2>&1 | sed -n '/-----BEGIN/,/-----END/p' > chain.pem
openssl x509 -noout -ocsp_uri -in cert.pem
openssl ocsp -issuer chain.pem -cert cert.pem -text -url http://ocsp.apple.com/ocsp03-apevsecc1g101 -header "HOST" "ocsp.apple.com"
OCSP Request Data:
Version: 1 (0x0)
Requestor List:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 99A13D5E339D6899F2F62D3449CA0FB7AD56A71D
Issuer Key Hash: 45F2A8DA2EF4DD5AE49E079E4B7B289B3BB20B31
Serial Number: 5E652F93666E7A5B3966551A0C167BAA
Request Extensions:
OCSP Nonce:
0410AB2982A627A49BA9AC9E06A9C4FE28B2
Responder Error: unauthorized (6)
chain.pem can only contain the intermediate and root certificates. The way you invoked openssl it brought in the entire chain. So: remove your certificate from chain.pem and try again.
For what it's worth (or future instances) here was my solution:
Note: I was sending the response to a Microsoft OCSP responder.
Fix: I had to define the -CAfile and -no_nonce parameters.
openssl ocsp -no_nonce -issuer ca_chain.cer -CAfile ca_chain.cer -cert test.cer -text -url http://ocsp.myorg.com/ocsp
OCSP Request Data:
Version: 1 (0x0)
Requestor List:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 555D0C30ACDDA1D39CAFB5C0B33BD73475C903D8
Issuer Key Hash: 3E8B5EE3BF6D026D69F3005CCE08BE60C245F3EE
Serial Number: 3E002C0FFFDA2BE9708A43E3270000002C0FFF
OCSP Response Data:
OCSP Response Status: successful (0x0)
Response Type: Basic OCSP Response
Version: 1 (0x0)
Responder Id: C012856C236D6AA6EC5F835AC25F17EBECB8BC10
Produced At: Nov 8 05:36:39 2022 GMT
Responses:
Certificate ID:
Hash Algorithm: sha1
Issuer Name Hash: 555D0C30ACDDA1D39CAFB5C0B33BD73475C903D8
Issuer Key Hash: 3E8B5EE3BF6D026D69F3005CCE08BE60C245F3EE
Serial Number: 3E002C0FFFDA2BE9708A43E3270000002C0FFF
Cert Status: revoked
Revocation Time: Oct 27 21:26:12 2022 GMT
Revocation Reason: cessationOfOperation (0x5)
This Update: Nov 8 00:50:02 2022 GMT
Next Update: Nov 8 17:10:02 2022 GMT
I followed this document:
https://developer.zendesk.com/embeddables/docs/ios-chat-sdk/push_notifications
And combined Cert PEM and Key PEM.
I used openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert Certificates.pem -key PrivateKey.pem
openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert
Certificates.pem -key PrivateKey.pem
CONNECTED(00000007) depth=1 C = US, O = "Entrust, Inc.", OU = See
www.entrust.net/legal-terms, OU = "(c) 2012 Entrust, Inc. - for
authorized use only", CN = Entrust Certification Authority - L1K
verify error:num=20:unable to get local issuer certificate verify
return:0
--- Certificate chain 0 s:/C=US/ST=California/L=Cupertino/O=Apple Inc./CN=gateway.sandbox.push.apple.com i:/C=US/O=Entrust,
Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2012 Entrust, Inc. -
for authorized use only/CN=Entrust Certification Authority - L1K 1
s:/C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2012
Entrust, Inc. - for authorized use only/CN=Entrust Certification
Authority - L1K i:/O=Entrust.net/OU=www.entrust.net/CPS_2048
incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net
Limited/CN=Entrust.net Certification Authority (2048)
--- Server certificate
-----BEGIN CERTIFICATE----- MIIHSDCCBjCgAwIBAgIQWxjih7/N45IAAAAAUOIMDDANBgkqhkiG9w0BAQsFADCB
ujELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xKDAmBgNVBAsT
H1NlZSB3d3cuZW50cnVzdC5uZXQvbGVnYWwtdGVybXMxOTA3BgNVBAsTMChjKSAy
MDEyIEVudHJ1c3QsIEluYy4gLSBmb3IgYXV0aG9yaXplZCB1c2Ugb25seTEuMCwG
A1UEAxMlRW50cnVzdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEwxSzAeFw0x
ODA0MjQwMjUyNTNaFw0yMDA0MjAwMzIyNTJaMHQxCzAJBgNVBAYTAlVTMRMwEQYD
VQQIEwpDYWxpZm9ybmlhMRIwEAYDVQQHEwlDdXBlcnRpbm8xEzARBgNVBAoTCkFw
cGxlIEluYy4xJzAlBgNVBAMTHmdhdGV3YXkuc2FuZGJveC5wdXNoLmFwcGxlLmNv
bTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALGgtoDaNuLjk9KpFkLp
xK1RhWdXMkGJlZeut40b4DabOUNsgmL9w0pGvFRa4u79Lzn8mDLQ06u71Ko5oVwV
da1VyI6+QX2naiTbAKVYB9qCdDim/TmXvnQUzhA5E4qXwmJlJd1QDCsV5kiy0SXJ
YNNXe/TAtO66t+zzT6WO9cVgqkeiEHq71khG5y4ST7E3uuPrlfHc/fcepneGNFnk
Y00ENxsTqPffvuTadKRXTdH3XKEUznrSCmi7wLQVAy3jvOJQ8q/tkuKl3ESbPZuW
qHHHN4VQFY+p9zdhGrmucIC7BvaEkZeDAvyYUCnJ8dtxLaCumR47esrEA3/p6YTN
Tn0CAwEAAaOCA40wggOJMCkGA1UdEQQiMCCCHmdhdGV3YXkuc2FuZGJveC5wdXNo
LmFwcGxlLmNvbTCCAfQGCisGAQQB1nkCBAIEggHkBIIB4AHeAHUAVYHUwhaQNgFK
6gubVzxT8MDkOHhwJQgXL6OqHQcT0wwAAAFi9aztYAAABAMARjBEAiBJbsuBQS+U
zNNArriSL0K9eKpZgmsQzvNlNxDqAZFLdwIgS61d6HuV9+UOkZ30HajpgL0raI+m
EvRyLAK6dzfIy+sAdwDd6x0reg1PpiCLga2BaHB+Lo6dAdVciI09EcTNtuy+zAAA
AWL1rO1iAAAEAwBIMEYCIQDc6OHQPat4UNQ6z0pbM6s7YEXWCuO0LUfDTlHGmCbw
dwIhAN/qlMFUciYP2o1gTKD9LtBc8hFQ1c35n4c7L2Cw47cuAHUAu9nfvB+KcbWT
lCOXqpJ7RzhXlQqrUugakJZkNo4e0YUAAAFi9aztgwAABAMARjBEAiBgEzNNxFKL
FS/9Ix29xIjpGZd2lXNz31iwdQl5eTwfggIgBKe3Hqk0KTn0aaTWu8y7+3ZzSv0I
svstJ/uaLlTbeUkAdQCkuQmQtBhYFIe7E6LMZ3AKPDWYBPkb37jjd80OyA3cEAAA
AWL1rO2HAAAEAwBGMEQCIGUEnyBQyHZ/JaJ9LRQqqQ0h2Ez9fzqhIaHk6nO4lYnf
AiBeuRikWxw8yuYkXd+n0i97cagfVDoi1AHRitCvk8zUmTAOBgNVHQ8BAf8EBAMC
BaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMDMGA1UdHwQsMCowKKAm
oCSGImh0dHA6Ly9jcmwuZW50cnVzdC5uZXQvbGV2ZWwxay5jcmwwSwYDVR0gBEQw
QjA2BgpghkgBhvpsCgEFMCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly93d3cuZW50cnVz
dC5uZXQvcnBhMAgGBmeBDAECAjBoBggrBgEFBQcBAQRcMFowIwYIKwYBBQUHMAGG
F2h0dHA6Ly9vY3NwLmVudHJ1c3QubmV0MDMGCCsGAQUFBzAChidodHRwOi8vYWlh
LmVudHJ1c3QubmV0L2wxay1jaGFpbjI1Ni5jZXIwHwYDVR0jBBgwFoAUgqJwdN28
Uz/Pe9T3zX+nYMYKTL8wHQYDVR0OBBYEFER7zAX8nlMJjpQL8PV9MYeeWpMOMAkG
A1UdEwQCMAAwDQYJKoZIhvcNAQELBQADggEBAJGeRI1Wht6YTfvdz2wKmZS8TFpX
gBRUUUNFFG0ihXuK48XKkKJviKikWl+qvExZqQN44aaIB5CHDgwUL6udQDZg7E27
rdC72tL79zHWbt/ukm6ffGa9SIIwtcJh+apfSA2YI5cmS9Da5v12VTkKizumgGVQ
pxP3EPnriAaj93BLVou5IUmuXOAbFqB2ZfhaX3kyiB+Hj87DGIU6qW8LnmKL22xi
77ksB4zbOm3FK71xwEOpakcC7rLbivRuB1iBV2TggXWvPf5snTV3jRTi8Cmqam4A
S+74TbYXfUQHBWIRQMktF+I/N9camXrf9ZfFTPzCO9GD6hbl6ae//zWDhh0=
-----END CERTIFICATE----- subject=/C=US/ST=California/L=Cupertino/O=Apple
Inc./CN=gateway.sandbox.push.apple.com issuer=/C=US/O=Entrust,
Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2012 Entrust, Inc. -
for authorized use only/CN=Entrust Certification Authority - L1K
--- Acceptable client certificate CA names /C=US/O=Apple Inc./OU=Apple Certification Authority/CN=Apple Root CA /C=US/O=Apple Inc./OU=Apple
Worldwide Developer Relations/CN=Apple Worldwide Developer Relations
Certification Authority /CN=Apple Application Integration 2
Certification Authority/OU=Apple Certification Authority/O=Apple
Inc./C=US /C=US/ST=CA/L=Cupertino/O=Apple Inc./OU=Internet Software
and Services/CN=iCloud Test/emailAddress=APNS-Dev#group.apple.com
/C=US/ST=California/L=Cupertino/O=Apple
Inc./CN=gateway.sandbox.push.apple.com /C=US/O=Apple Inc./OU=Apple
Certification Authority/CN=Apple Application Integration Certification
Authority
--- SSL handshake has read 4165 bytes and written 2411 bytes
--- New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion:
NONE No ALPN negotiated SSL-Session:
Protocol : TLSv1.2
Cipher : DES-CBC3-SHA
Session-ID:
Session-ID-ctx:
Master-Key: 947F3D735AEEFB1633D0E18CD8CAFF5F6AB789DC518AEED4913382554437C2EE686F50A9267B285E798AB40FAEC389FD
Start Time: 1552990882
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Then I upload to Zendesk Dashboard successfully. But after that I can not receive push notification.
In Jenkins -> Manage Plugins, I observe this message:
There were errors checking the update sites: None of the tool installer metadata passed the signature check
My question is: How can I manually check the signature of updates in order to determine if they are valid?
Subsidiary question, how can I determine the cause of this error?
UPDATE: In the meantime it seems the expired cert has been renewed:
https://updates.jenkins-ci.org/updates/hudson.tools.JDKInstaller.json.html
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 3735928570 (0xdeadbefa)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=California, L=San Jose, O=Jenkins Project, CN=Kohsuke Kawaguchi/emailAddress=kk#kohsuke.org
Validity
Not Before: Nov 19 21:21:39 2018 GMT
Not After : Nov 19 21:21:39 2019 GMT
Subject: C=US, ST=California, O=Jenkins Project, CN=Community Update Center
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
So for me the issue seems solved.
Have you tried :
Why is there Failed Signature Check when using update server?
Suppress the signature verification check by adding the following Java option
-Dhudson.model.DownloadService.noSignatureCheck=true
or
Modify your JDK security policy to admit unsecure encryption algorithms by replacing jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024 with jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 512 in the file $JRE_HOME/lib/securityjava.security
After building my own eventmachine/thin with SSL support on windows (Install OpenSSL with Ruby for eventmachine on Windows 7 x86) I got another problem with SSL certificate: when I use build-in self-signed one thin works fine but it does not respond to any request while using corporate certificate
Here is my path for obtaining the certificate:
I generated private key with puttygen (ssl-private.key)
I generated CSR using following command:
openssl req -out ssl.csr -key ssl-private.key -new
I sent CSR to CA and received P7B file
I converted P7B using following command:
openssl pkcs7 -inform DER -outform PEM -in cert.p7b -print_certs > cert.crt
What could go wrong here?
What have I checked:
openssl rsa -in ssl-private.key -check
says "RSA key ok"
openssl x509 -in cert.crt -text -noout
says
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
***
Signature Algorithm: sha1WithRSAEncryption
Issuer: ***
Validity
Not Before: Feb 16 08:47:25 2004 GMT
Not After : Feb 16 08:55:36 2024 GMT
Subject: ***
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
***
Exponent: 3 (0x3)
X509v3 extensions:
X509v3 Key Usage:
Digital Signature, Certificate Sign, CRL Sign
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Subject Key Identifier:
***
1.3.6.1.4.1.311.21.1:
...
Signature Algorithm: sha1WithRSAEncryption
***
while the same check made on self-signed cert, created using
openssl genrsa -des3 -out server.orig.key 2048
openssl rsa -in server.orig.key -out server.key
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
says
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
***
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=PL, ST=-, O=Internet Widgits Pty Ltd, CN=test.org
Validity
Not Before: Jun 24 14:42:07 2015 GMT
Not After : Jun 23 14:42:07 2016 GMT
Subject: C=PL, ST=-, O=Internet Widgits Pty Ltd, CN=test.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
***
Exponent: 65537 (0x10001)
Signature Algorithm: sha256WithRSAEncryption
***
ok some change: I have changed certs order in crt file so that final cert is not last but first and the result is different: chrome drops an error of NET::ERR_CERT_INVALID, IE similar and both does not navigate further
openssl s_client output (looks ok, *** Root CA 1 is trusted in windows):
Loading 'screen' into random state - done
CONNECTED(000001E8)
depth=1 DC = com, DC = ***, CN = *** Enterprise CA 1
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
0 s:/C=***/ST=***/O=***/CN=***.com
i:/DC=com/DC=***/CN=*** Enterprise CA 1
1 s:/DC=com/DC=***/CN=*** Enterprise CA 1
i:/DC=com/DC=***/CN=*** Root CA 1
---
Server certificate
-----BEGIN CERTIFICATE-----
***
-----END CERTIFICATE-----
subject=/C=***/ST=***/O=***/CN=***.com
issuer=/DC=com/DC=***/CN=*** Enterprise CA 1
---
No client certificate CA names sent
---
SSL handshake has read 3404 bytes and written 665 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : AES256-GCM-SHA384
Session-ID: ***
Session-ID-ctx:
Master-Key: ***
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket: ***
Start Time: 1435319943
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
read:errno=0
I have made a simple https server (lib/emtestssl):
require 'rubygems'
require 'bundler/setup'
Bundler.require
class ServerHandler < EM::Connection
def post_init
puts "post_init"
start_tls :private_key_file => 'private.key', :cert_chain_file => 'comb.crt', :verify_peer => false
end
def receive_data(data)
puts "Received data in server: #{data}"
send_data("HTTP/1.1 200 OK\n\nHello world!")
close_connection_after_writing
end
end
EventMachine.run do
puts 'Starting server...'
EventMachine.start_server('145.245.202.233', 443, ServerHandler)
end
it works fine without tls, with tls browser won't allow to connect :(
as per http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#verify private key and certificate do match
it looks like (patched) eventmachine is completely fine: i have taken key/cert pair from existing server and (after a url mismatch warning from the browser) it works fine
after comparing the certificates it looks like my CA has failed and brought me a cert with wrong properties: working one is described as Server Authentication (1.3.6.1.5.5.7.3.1) while failing one is Client Authentication (1.3.6.1.5.5.7.3.2)
i will issue another csr and charge them for lost day... :/
maybe one important discovery is an order of certificates within cert file: one must go from the final cert to the root being at the end of the chain
I wrote a python app that sends push notification to Apple devices.
Suddenly notifications are no longer received, on all the iOS apps.
It looks like Apple returns an error after sending the notification.
I would like to know if the following response looks normal?, or if there is an issue with the certificates?
$ openssl s_client -connect gateway.push.apple.com:2195 -cert /home/ubuntu/webapps/notification/certificates/relax_app/production/apns-dev-cert.pem -key /home/ubuntu/webapps/notification/certificates/relax_app/production/apns-dev-key-noenc.pem
CONNECTED(00000003)
depth=1 C = US, O = "Entrust, Inc.", OU = www.entrust.net/rpa is incorporated by reference, OU = "(c) 2009 Entrust, Inc.", CN = Entrust Certification Authority - L1C
verify error:num=20:unable to get local issuer certificate
verify return:0
140149704410784:error:14094415:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate expired:s3_pkt.c:1195:SSL alert number 45
140149704410784:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:591:
---
Certificate chain
0 s:/C=US/ST=California/L=Cupertino/O=Apple Inc./OU=iTMS Engineering/CN=gateway.push.apple.com
i:/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C
1 s:/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C
i:/O=Entrust.net/OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.)/OU=(c) 1999 Entrust.net Limited/CN=Entrust.net Certification Authority (2048)
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFEzCCA/ugAwIBAgIETBzSBzANBgkqhkiG9w0BAQUFADCBsTELMAkGA1UEBhMC
VVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xOTA3BgNVBAsTMHd3dy5lbnRydXN0
Lm5ldC9ycGEgaXMgaW5jb3Jwb3JhdGVkIGJ5IHJlZmVyZW5jZTEfMB0GA1UECxMW
KGMpIDIwMDkgRW50cnVzdCwgSW5jLjEuMCwGA1UEAxMlRW50cnVzdCBDZXJ0aWZp
Y2F0aW9uIEF1dGhvcml0eSAtIEwxQzAeFw0xMjA1MDMxODIyMjhaFw0xNDA1MzEw
OTI5MDZaMIGHMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTESMBAG
A1UEBxMJQ3VwZXJ0aW5vMRMwEQYDVQQKEwpBcHBsZSBJbmMuMRkwFwYDVQQLExBp
VE1TIEVuZ2luZWVyaW5nMR8wHQYDVQQDExZnYXRld2F5LnB1c2guYXBwbGUuY29t
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt4u3gyk9GeQGIH7pmYSA
604LxMLvaUZkgeXOLRzH/48LZgPD5megHhsvjj6du2xzOQKb7iCVYF4HnHf3k00R
3iXtvEmqRU87uw8K2LPu9ZfoNcJpu2e45eF27dXjvjCmvlMDsPxFBer9nAex3P4o
mGCld73SfcZuIB3bQ6BFTIM6je+0nNwP9yuSF4XjOrOx+1+ifgGwyl9T/qa1TYWW
K/LmObAmpbBYwklu33NVOR4BBrZ+GAdj1irdZqh3s3R+b/ANaAAbx2YYrScnIP15
OG7oYNKO3zzIQ0KaBjJjv30j5dXFQaIiphUWhuhQ3rRMmG7xV5UWVqHMriMLD4bS
PQIDAQABo4IBWTCCAVUwCwYDVR0PBAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMB
BggrBgEFBQcDAjAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3JsLmVudHJ1c3Qu
bmV0L2xldmVsMWMuY3JsMGUGCCsGAQUFBwEBBFkwVzAjBggrBgEFBQcwAYYXaHR0
cDovL29jc3AuZW50cnVzdC5uZXQwMAYIKwYBBQUHMAKGJGh0dHA6Ly9haWEuZW50
cnVzdC5uZXQvbDFjLWNoYWluLmNlcjBABgNVHSAEOTA3MDUGCSqGSIb2fQdLAjAo
MCYGCCsGAQUFBwIBFhpodHRwOi8vd3d3LmVudHJ1c3QubmV0L3JwYTAfBgNVHSME
GDAWgBQe8auJBvhJDwEzd+4Ueu4ZfJMoTTAdBgNVHQ4EFgQULkkf+RyRucrBgaw2
Iu+V+aUctU4wCQYDVR0TBAIwADANBgkqhkiG9w0BAQUFAAOCAQEAPSQnfPByAF+Y
ML2kwujhbKMZw81oF3HGkdSG756Jt5cqiBJB+KS+4ZThpTgAr9EytfHtl4NPoBwZ
I0a2gLvmO2HNe5OqVSdOqyPCCFN0aBZTYwLVHM3HmoUbPn+Zh19g7Me4AC69IR9i
RoJmzSkagR+Z7z7veiSzfeUHaGa0YUsyc7iMerF1rFfYJvXFVp4D1gA672nTzctZ
0e0yItFXJrN6FL/K+NKCk/O3HCn95oVEPtnEWF2Qm91AZKoCYV1u3VzWtlZsyjQL
wqfQNpr+VUe1SQ1DInr2enCQrCBnH7R3JVscj91cfEiH1SydpRrNFICT40nphEWK
higEADTWUQ==
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Cupertino/O=Apple Inc./OU=iTMS Engineering/CN=gateway.push.apple.com
issuer=/C=US/O=Entrust, Inc./OU=www.entrust.net/rpa is incorporated by reference/OU=(c) 2009 Entrust, Inc./CN=Entrust Certification Authority - L1C
---
No client certificate CA names sent
---
SSL handshake has read 2670 bytes and written 2047 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv3
Cipher : AES256-SHA
Session-ID:
Session-ID-ctx:
Master-Key: F2FEDB49795DA0B3084B850521A514EB60EE9959C40753AB79B799CA4F6225DAA4FE7084B8CF6D7BF9A4AEB92B9B3A06
Key-Arg : None
PSK identity: None
PSK identity hint: None
Start Time: 1385498375
Timeout : 7200 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
Note
The response returns the following:
verify error:num=20:unable to get local issuer certificate
Does this error prevent sending push notifications? or can it be ignored?
Thanks in advance.
SOLUTION
The issue was related with expired and revoked certificates.
New certificates were generated according to this great tutorial:
http://www.raywenderlich.com/32960/