Apple APNs 2048-bit TLS/SSL certificate update

Question

Today i received an email from apple telling they are changing something connected with push notifications, and wanted to ask what to do with the certificate they gave me link to... My server runs debian lenny, and im using php5 to send push notifications to apple apns. Do i have to just like... add it somewhere, or replace the 'old' one ?

Answer 1

Download the entrust_2048_ca.cer file, and install it on the servers that communicate with Apple's notification services. No need to do renew your actual push certificates, also you should not have to change anything in your code.

The important thing is that the servers that actually communicate with Apple's notification services have the certificate installed.

If you are lucky, your push server is already in contact with a Certificate Authority root, and this will solve the issue for you automagically. However, if you should lose that connection, your notifications will be out of order unless you have a "local" version of the certificate.

Answer 2

My PHP5 scripts that connect to the Apple Push Server are hosted on a Fedora system. For me, the migration was transparent. I had nothing to do despite I can't find the Entrust certificate somewhere on my system. Maybe is it available with the PHP5 SSL library.

Answer 3

I downloaded and copied the https://www.entrust.net/downloads/binary/entrust_2048_ca.cer file into /etc/ssl on my OpenBSD server. I haven't changed any of my server side code which is actually not using the entrust cert in any way. (I use the certs from Apple's provisioning site.)

On Dec 23rd, my notifications are sent and received with or without the entrust cert. I am confused about how exactly I am supposed to use the entrust cer file.

I think this sentence from the email from Apple tells me I am ok:

If you have been successfully validating the certificate chain in the APNs sandbox environment, you already have the root certificate you need. Simply install the same root certificate on your production push provider servers.

i.e.

Notifications were and are sent, hence my server already has what it needs.

UPDATE: What I wrote above seems to be the case. If you use a fairly recent server you likely don't have to do anything at all. The sandbox environment has been using 2048 bits since March 2010. If it has been working, you are set. Full info here: http://www.24100.net/2010/12/latest-apple-push-notification-certificate-changes-decrypted/

Answer 4

I am looking for the same solution, a quick hint from another forum says "simply download the .cer file and install it" http://www.iphonedevsdk.com/forum/iphone-sdk-development/66878-apns-question-email-apple.html.

We will try on our linux server and please see if this works for your situation.