How To Renew the Apple iOS "Push Certificate"


Article ID: 181760


Updated On:


Symantec Products




Apple iOS "Push Certificates" are only valid for a period of 1 year.  A new/replacement certificate for the same AppID must be created and uploaded into AppCenter before the existing Push Certificate expires.  Failure to do so could cause agent problems in your AppCenter environment.  

This process assumes the Mac computer has your organizations Apple Distribution Certificate already installed in the keychain.  This process will not work without it.

As of December 17th 2015 the "APNs Production iOS" certificate name has been changed to "Apple Push Services."

For On-Prem Customers on any version before 5.4.2, please see the note at the bottom before trying to upload a new Push Certificate.

To renew your Apple "Push Certificate" for AppCenter:

  1. Document the details for the existing/old Push Certificate.
    1.  Log into AppCenter and go to Settings --> Certificates --> Apple/iOS Certificates.
    2.  Under "Push Certificate", make a note of the Push certificate name, valid dates, and serial number.  Record this for comparison later.
  2. Locate your old Push Certificate in the Apple portal.
    1. Log into your Apple developer portal account.
    2. Go to "Identifiers" --> "App IDs" and locate your existing/old Push Certificate app ID and name.
    3. Select the App ID and click the "Edit" button.
    4. Scroll to the bottom section called "Push Notification" to see the existing Push SSL certificate. If possible, verify the certificate name and expiration date matches your existing/old certificate.
  3. Create and submit a new certificate signing request
    1. Under Production SSL Certificate, click "Create Certificate" button. 
    2. Follow the instructions to create the CSR on the Mac.  (Do not provide a CA Email address, leave that field blank.)
    3. Click Continue when CSR file is created.
    4. Upload the CSR file to the portal by browsing to the location where you saved the file, and click Generate. 
  4. Download and install the certificate to the mac
    1. Download the certificate to your Mac computer by clicking the Download button.
    2. Double-click the certificate to open it in Key Chain Access. It should be named "Apple Production IOS Push Services...".  The certificate should be listed within the Certificates category and shown with its private key. 
  5. Export the new Push certificate with private key.
    1. In Key Chain Access, right-click the new certificate and select Export...
    2. Export the certificate in .P12 format. It will prompt to provide a private key protection password and the admin password for access to export from the Mac computer certificate store.
  6. Upload the new Push Certificate into AppCenter 
    1. In the AppCenter console, go to Settings --> Certificates --> Apple/iOS Certificates. 
    2. Under Push Certificate, select "Upload New" and choose the new Push certificate P12 file you just exported.  Enter the Push Certificate private key protection password.  Click the Upload button.
    3. Verify that the Push certificate App ID name is the same as the prior/old certificate you recorded.  Verify the Valid dates have changed to the new dates and serial number has changed.
    4. Click the Save button.

For On-Prem Customers on any version before 5.4.2:

Any new APNS certificates generated after December 17th 2015 cannot upload to Mobility suite since Apple has changed the certificate type and naming convention used in their APNS certificates.  These new APNS certs fail input validation and admin console > settings > certificates > Apple/iOS > APNS/Push certificate.

For on-prem customers that are using older builds that run into this problem they can use the following scripts commands to upload a new apns cert:

#cd /usr/local/nukona/appstore_cu/

#The below command will get the id of the existing apns certs
python scripts keypair list -t PUSH --tenant {TENANT_NAME.EN_US}

#The below command will delete the existing apns cert
python scripts keypair delete {ID_RETURNED_FROM_ABOVE_COMMAND.EN_US}

#Once you have removed the old certificate you need to transfer the new certificate to server. The below command will upload a new apns cert that will then be used
python scripts keypair add-p12 --tenant {TENANT_NAME.EN_US} PUSH {PATH_TO_APNS_P12_FILE.EN_US}