APNs Certificate Update

App & System Services Notifications
Agentec
Agentec OP
Created Dec ’24
Replies 4
Boosts 3
Views 1.6k
Participants 4

We are preparing to address the upcoming change to the Certification Authority (CA) for the Apple Push Notification service (APNs). We have a few questions regarding the necessary measures.

  1. Is the change of the Certificate Authority (CA) related to APNs something that needs to be handled on the server that sends push messages?

  2. In relation to the CA change, do we need to reissue the APNs certificate?

  3. If we handle the CA change on the server side and the new CA certificate already exists there, is there no need to make any further changes?

  4. If the server’s trust store already includes the new CA certificate, it seems that no additional changes are needed. Is it possible to verify right now that everything will function correctly?

Replies  4
Boosts  3
Views  1.6k
Participants  4
Apple Staff, Engineer
Engineer OP
Apple
Dec ’24

1- Yes, it is something that needs to be handled on the server that communicates with APNs

2- No. No other changes to any other certificates, or the receiving app is needed. This only relates to the push server

3- Correct, if the new CA is already installed, no more changes are required

4- There will be a special test server made available closer to the date to verify everything will function

Argun Tekant /  DTS Engineer / Core Technologies

1
carlos-santos-anchor
carlos-santos-anchor OP
Jan ’25

4- There will be a special test server made available closer to the date to verify everything will function

Is there an ETA for that special test server to be ready for test?

Would be great that we could have time to properly test before the final rollout.

2
ClausJander
ClausJander OP
Jan ’25

Is there any update on this? When can we expect the "special test server " to be available or do you just mean the sandbox with that?

1
carlos-santos-anchor
carlos-santos-anchor OP
Jan ’25

While we wait an official response, and that test server, I have found this thread on Stackoverflow where it explains how to validate this before Sandbox is updated, to make sure your server has the correct certificate installed.

Most likely it will since this is CA certificate dates from 2019 and started being included in distros at least in 2020 (that I could trace).

You'll find that certificate in most Linux distros as a symlink inside: /etc/ssl/certs, so if your server uses a Linux image, most likely will be ready:

$ file  /etc/ssl/certs/USERTrust_RSA_Certification_Authority.pem


/etc/ssl/certs/USERTrust_RSA_Certification_Authority.pem: symbolic link to /usr/share/ca-certificates/mozilla/USERTrust_RSA_Certification_Authority.crt

With this path, you can run your own test:

$ openssl s_client -connect usertrustrsacertificationauthority-ev.comodoca.com:443 -CAfile /usr/share/ca-certificates/mozilla/USERTrust_ECC_Certification_Authority.crt

And it will output the correct response ✅:

SSL handshake has read 4477 bytes and written 437 bytes
Verification: OK

But if you run the same test on api.sandbox.push.apple.com:443, you'll get an error ❌:

SSL handshake has read 4691 bytes and written 438 bytes
Verification error: unable to get local issuer certificate

Let's repeat this test when Apple updates api.sandbox.push.apple.com:443.

0
APNs Certificate Update
First post date Last post date
 
 
Q