As far as I know I can renew the APNS by creating a new certificate and finally update my server to use it.
But, I don't understand what happen if I have two APNS distribution certificates both non expired yet at same time. What will happen with devices that used the older certificate to generate the token?. Will they stop receiving push notifications? What is the best approach to face a renew APNS certificate?
In my server should i handle both certificates too? I mean, when I establish a connection with Apple servers I can use only one pem.
I have already read:
How to Renew Push Notification Services Certificate
Renewing Production Push SSL Certificate - Apple APNS
devices that used the older certificate to generate the token
Devices do not use the certificate, the certificate is used only by the server. Therefore there is no such thing as tokens obtained from a device using the older certificate.
(Devices use a profile with push entitlements in order to obtain the token,and this does contain a certificate however this is not the same thing as the certificate used on the server).
Therefore your server just needs to use the new certificate when communicating with the Apple servers and your apps will continue to receive pushes, providing you have generated and are using the correct certificate (i.e. development for the Apple Sandbox server and production for the Apple production Server).
Incidentally a single .pem can contain multiple certificates if desirable.
Related
I am creating an MDM Server and have successfully completed all the steps and was able to install the profile on the device.
In the .mobileconfig file which is installed on the device, we pass the SSL certificate, APNS certificate and profile information.
1) What if the SSL Certificate on the server is changed? (I guess this is not practiced by many or not practiced at all but still want to know what happens when this case occurs)
2) What happens after the APNS certificate is expired after one year?
How do I update the profiles on devices in which the profiles were already installed. Should the profiles be manually deleted and reinstalled or is there any other way?
Regarding the SSL certificate:
The mdm profile using the SSL certificate is not affected and can be continued to use. The only thing that will happen is on the device when you view the profile it will show that specific signing certificate to be expired.
Solution: You need to sign the mdm profile again with the new certificate.
Refer solution to this question.
You have option to renew the APNS certificate before it expires. Apple sends you email (to the apple-id that generated the APNS certificate) before the certificate expires. If you renew the certificate before expiration, you don't have to re-enroll the devices.
In case the certificate is already expired, you need to create a new one using the same old apple-id and will have to re-enroll all the devices to receive the MDM push.
I have some account with old certificate for an app that is currently in production. It's not duplicate of this question (Xcode apple developer certificate expiration: (0xE8008018)) because I know exactly what to do, but what harm it can does. Since I do not have CSR file that was used to create this certificate and app use a lot of push notifications.
Does revoking certificate will break push notifications?
What's about signing? If I revoke certificate I have to regenerate provisioning profile before pushing to store?
What will happen when I revoke certificate there?
You should review the Apple Support article on Certificates.
Does revoking certificate will break push notifications?
Yes, "you can no longer send push notifications to your app." At least not until you regenerate the cert and change your application to use the new one.
Distribution:
iOS Distribution Certificate (App Store)
If your Apple Developer Program membership is valid, your existing apps on the App Store will
not be affected. However, you will no longer be able to submit new
apps or updates to the App Store.
iOS Distribution Certificate (in-house, internal use apps)
Users will no longer be able to run apps that have been signed with this
certificate. You must distribute a new version of your app that is
signed with a new certificate.
Does revoking certificate will break push notifications?
Yes, if you revoke the certificate you will no longer receive push notifications to the app.
What's about signing? If I revoke certificate I have to regenerate provisioning profile before pushing to store?
If you create a new certificate and upload it to the server sending the push notifications you will be able to send push notifications again. This can be done without the need to build a new binary for the AppStore.
what harm it can does. Since I do not have CSR file that was used to create this certificate and app use a lot of push notifications.
Create a new certificate request and upload it to the correct app to create a new certificate in the developer portal. You do not need the original CSR file to do this.
In your case, Create a new certificate and replace the old cert on
push server with newly generated one. Cheers! All the pushes will
continue to deliver to users. But make sure do above thing just after
creation of new certificate.
Push cert is used for communication between your push server and APNS.
APNS allows push payload from the servers having valid certificates.
So replace the old cert with new one. I done it in past. No issue
faced. Push will be effected for the duration you would take to revoke
and update the certificates on push server.
Recently Apple introduced a new type of APNS certificates - Universal Push Notification Client SSL Certificate.
It seemed for me that it should allow to have one certificate to use on both Development and Production (Sandbox and Production). This was really wanted feature because my backend uses the Azure Notification Hub to send pushes and contains only one available space for a certificate (Sandbox or Production).
I tried to follow official docs provided by Apple (Creating a Universal Push Notification Client SSL Certificate) but with no luck - the new certificate applies only for Distribution . And even on theirs screenshots I see that this certificate applies only for Distribution mode and not for the Development and this is what confuses me
- Creating a Universal Push Notification Client SSL Certificate
This is why I will appreciate any guidance or advice which will explain how it should work, and did I understand the purpose of those certificates properly?
That's how it should appear - "Configurable" for development and "Enabled" for distribution. But it'll work for development as well.
I had the same problem looking for how to "Generate a universal APNs client SSL certificate". After a while, I managed to make it work. In the Apple developer console:
create a Key (not a certificate)
write the name of your key a select "APNs" service.
Download your .p8 key.
Then you have to use this .p8 file in your call.
I am new to iOS develop this is first time for me to handle certificate which has been expired. After I renew certificate and replace it to server, I am not receiving push notification. I may did some mistake. Please correct me.
Below are the steps i followed:
step1-- Recreate push notification, production type is "Apple Push Services" I know apple do some change, but the development type still is "APNs ..."
If I can use new certificate for development and production environment why apple provide develop choice?
step2-- I also found the Ad Hoc certificate will expire, so I also recreate it, both development and production
step3-- Of course I recreate provisioning profiles, but when I create for development I can't distinguish which certificate is new one, so I revoked the old one.
step4-- Install new certificates and provisioning profile in my mac, then export p12 to server.
Then I can't receive push notification, someone said the new certificate need to update program to fix it, I hope after edit the code push notification will work fine.
But how about development push notification? the development certificate type is the same but I still can't receive push notification, or it caused by renew Ad Hoc certificate ?
========== edit at 3/3 ========
Because the new type of certificate can use for development and production at the same time, so after server side update its code, I test push notification with the new type of certificate both development and production, and this time I get push notification.
Maybe because I have new type of certificate so APNs doesn't accept old type of certificate, is it possible?
Go to Keychain Access, delete all expired certificates. Regenerate your push notification certificates from Developer Center along with new provisional profile.
I have tried these bellow ways:
I noticed was the Device Token gets changed for every fresh install which is kind of weird as we have to update the server for every new instance. Now i have fixed with save UUID in keychains.
I have created development provision and check. But not getting any luck.
I have created Adhoc provision and check. But still not getting PN.
Depending on how you distribute your app you may either be on the sandbox or the production server. Your token will only work for the server that the app is provisioned for.
Additionally, the machine that you're sending push notifications from will need to have the correct certificate and key to interaction with the APNS servers.
One thing to watch out for is using the same Certificate Signing Request for both the development and production APNS certs, some services won't properly send if they detect the wrong certificates in a .p12 file and keychain access will export more than two items if you used the same CSR.