In my Apple developer account I have created a key for use with APNs across all my apps. On creation it allows me to download it once I have finished. After that the 'download' button is greyed-out and I can't download it again. Presumably this is by design.
Can anyone tell me why it doesn't allow a second download like you can for the certificates/profiles?
You can't re-download the IOS Push Notification Auth key. Only public key is retained by Apple and a private key which you retain and protect.
See documentation section Provider-to-APNs Connection Trust.
Token-based provider connection trust: A provider using the
HTTP/2-based API can use JSON web tokens (JWT) to provide validation
credentials for connection with APNs. In this scheme, you provision a
public key to be retained by Apple, and a private key which you retain
and protect.
You can see warning too when you create an Auth Key.
Download and Back Up After downloading your key, it cannot be
re-downloaded as the server copy is removed. If you are not prepared
to download your key at this time, click Done and download it at a
later time. Be sure to save a backup of your key in a secure place.
I just created new key on developer.apple.com, never download it yet, but I'm still unable to download it (download link is disabled).
Any idea how to get p8 cert from developers.apple.com?
Related
After downloading my certificate from the apple developer portal, I successfully create a p12 file but whenever I try to create a platform application on aws, enter the certificate password, I just keep getting the error below.
There was an error reading the selected certificate. Verify the
password and try again.
I have tried with short and no passwords but nothing seems to accept the password.
Any ideas?
I was able to make this work, by doing the following:
Delete all old keys related to previous attempts in your Keychain > login (macos)
Request a new certificate from Request Certificate from Authority. Make sure no keys are selected when you execute this function.
I chose a single word in lowercase for Common name.
Add certificate to Apple Developer Portal
Download the CSR
Double click on the CSR to import the keys into your Keychain.
Your private key should have a dropdown with the certificate listed. My previous attempts did not have this. Export the p12.
The p12 worked in AWS SNS when entering the password, the public and private keys were extracted from the p12.
I am reading the documentation for both push using TLS certificates and push using authentication tokens
But besides explaining how to configure each, the articles don't really explain the differences or pros/cons of both approaches. Can somebody explain them to me?
Token-based authentication is newer and essentially simplifies APNS authentication.
It is based on a public and private key pair that you can generate on your Apple developer account.
Here are the main reasons why it is simpler:
The same key can be used for development and production apps whereas
different certificates are needed when using certificate-based
authentication.
The same key is used for all your apps referenced in your Apple
developer account. Certificate-based authentication needs one
certificate per app.
The key does not expire. Certificates do expire and need to be renewed every year or so.
A good source of intel is the 2016 WWDC video regarding APNS:
https://developer.apple.com/videos/play/wwdc2016/724/
For 2020, you can only realistically use the "token" method. The older approach is legacy and they will probably axe it.
Your private key will look like this
let keystring = `-----BEGIN PRIVATE KEY-----
MIGTAgEAMBMGByqGSM49Aas8d76as8das687asd687asd68as8brwUIWA46qcXis
zCu6dbd4s8d7b5s86gf98ugtr28re7089a7d6tbvpiiui524kyfpq9861eFJP7we
eE7rX4182609457ohgyj3lhgp98wfb698bfg69287f2k4htgwpo876grwo7XDklz
9fdg689d
-----END PRIVATE KEY-----`
your key id will look like this
let keyId = "CTU7XXBPRH"
and your Apple team id is your usual Apple team id, which looks like "YWD3UUTEWD".
Nowadays - thank goodness - it is relatively easy to get the private key and key id from inside your company's account on the Apple developer website.
If you want to test sending a push on an ordinary Node server on AWS, I strongly recommend this outstanding new npm, APNS2 https://www.npmjs.com/package/apns2
let bn = new BasicNotification(deviceToken, 'Hello')
It's about that easy to send pushes.
Tips:
Don't forget the damned "development/sandbox" pushes only work ON AN IPHONE TETHERED TO YOUR MAC/XCODE!
development/sandbox pushes - only for an iPhone tethered to your Mac with a build running from Xcode
production pushes - they do work completely fine with TestFlight builds.
Additionally: don't forget that the so-called development/sandbox pushes are often flakey. Often, they don't arrive for hours, they don't arrive at all, they simply don't work in many regions.
Don't forget that it is TOTALLY OK to use the "production" ones, simply, with a TestFlight app.
So
Make a build
Push it to your TestFlight account. Wait a few minutes as usual until the build comes through,
Install it from TestFlight to your phone
You will now get all the pushes - instantly!
Whereas if you
Make a build
Just build/run to your tethered iPhone
You do NOT get any pushes.
It's true that you can get the so-called "development" pushes, but they are often very flakey.
(To be clear, when using APNS2, if you do want to try "development" pushes, to order "development" pushes, simply use the extra line of code explained at the bottom here https://www.npmjs.com/package/apns2 )
In 2021, Apple's Setting Up a Remote Notification Server state
Both techniques have advantages and disadvantages, so decide which technique is best for your company.
Both Fattie and Ika have said that TLS/ Certificate based authentication is inferior. The Project UI in Firebase also uses language which doesn't explain much IMHO:
Configuration with auth keys is recommended as they are the more current method for sending notifications to iOS
Benefits of Certificate Authentication
Limited access certificates. Each certificate is tied to one application in your developer account and environment (development/ production). This avoids putting all your eggs in one basket, if your token auth key is compromised, a threat actor can push notifications to all your applications.
Simpler Provider application logic. The provider (service which interacts with APNs) (either your own server or a service you use) can just use the TLS certificate, and authenticate, without needing to create JWTs, add headers to the request or find the correct App ID to use.
Benefits of Token Authentication
Simpler setup process: because you only have to download a .p12 and use it your application. Go into developer.apple.com, create a Push Notification Key. However, your application has to renew these tokens every hour. Creating a .p12 for TLS authentication is a little bit more involved.
Does not expire, so you can set it and forget it. Whereas TLS certificates expire in 1 year by default.
The question boils down to security vs. convenience.
Convenience (use token auth): It's convenient to create a key and forget (token auth), and you might use Firebase (or another service) to actually renew the tokens every hour, so you don't have much work to do.
Security (use TLS auth): Do you really want to share the same key between all your applications? What if you want to limit the scope of a Push Notification Service Provider (e.g. Firebase, Ably, Pusher), but don't trust giving them access to all your applications. In reality, you might just have 1 application, so it does not matter.
Does this kind of even security matter, or is it just more convenient to use Token Auth? I would say in most cases, go with Token auth.
What does the key id mean? Please help me, I don't know what to enter in there.
If you want Push notification using FCM- Firebase Cloud messaging you need to provide either key or .p12 file. You can create in your developer account.Visit this link.
Also, its not compulsory if you are using firebase as a only database purpose. If you want push notification or cloud message then you need to provide this certificate or key things.
In your developer account you have to follow below steps
Step 1
Step 2
Step 3
Step 4
In your apple account go to Certificates, Identifiers & Profiles section.You can see Keys section in left side category.
Click Keys->All, Now you can see list of keys.
Click your key which you created for firebase APNS auth key.it will show prompt it shows Key ID:
You have selected "APNS Auth key" option while uploading .p12 file (Attached image (1) ).
To generate a "APNS Auth key", You should open developer.apple.com, and generate key from below attached image.
If you don't have "APNS Auth key", you should go with "APNs Certificate" option in firebase (Attached image (2). In that case, Firebase will not ask you for "key id".
I've successfully setup my hub to use an SSL certificate per app, but I'd really like to move to the token-based APNs Auth Key approach. I configured my hub with I believe all the right information from the p8 file. For Key ID, I put in the 10-character value from when key was generated. For App ID, I put in my Team ID. For Token, I put in the private key value from the p8 file.
Has anyone had any success with this? Here's what happens when I attempt to send a test message:
When set to sandbox and I do a test send to my device, I get a failed outcome of "The Push Notification System rejected the request because of an invalid credential".
When set to production and I do a test send to my device, I get a failed outcome of "The Token obtained from the Token Provider is invalid"
For production, I think that is because I'm sending to a local app build outside of TestFlight/app store, so it is expecting the "development" or sandbox aps-environment.
Not sure what other troubleshooting I can do.
TIA,
I figured out what was happening for me.
The App Name field in the Azure Portal is critical to how the message gets delivered. Even though an APNs Auth Key can be used across multiple apps, the notification still must set the topic to be for that particular app. It seems like Azure Notification Hubs take the App Name field and put it into the apns-topic. Once I had that set to my app identifier, it worked as expected.
Also as an FYI, here is the link to the official documentation
https://learn.microsoft.com/en-us/azure/notification-hubs/notification-hubs-push-notification-http2-token-authentification
I'm configuring stuff on the provisioning portal for a new app which will use APNS.
When I went to configure the App Id for pushes the web site popped up a dialog saying I had to use Keychain Access and request a certificate from a CA.
However this is a step I've already been through with a previous app, therefore is there any need to do so again? If there's no need, is it still a good idea, and if so why?
If there's no need to generate a CSR again, then I no longer have the CSR file from previously, so is there anyway to recover it?
Certificates belong to hostnames.
If the hostname is the same, yes you can.
If it is a subdomain, and the certificate is a wildcard, yes you can.
If the hostname is different, you can generate a new csr and apply for your new certificate.