How to renew your Apple Push Notification Push SSL Certificate

By David Mytton,
CEO & Founder of Server Density.

Published on the 5th June, 2010.

See also: How to build an Apple Push Notification provider server (tutorial)

It’s coming up to a year since we launch our server monitoring iPhone application and so our Apple push notification SSL certificate is expiring in a few weeks. It is necessary to renew it and install the new certificate on our servers so we can continue sending push notifications for server alerts, and this quick post will take you through the steps.

You can generate a new certificate without revoking the old one, and use them simultaneously to ensure they are working before revoking the old one.

1) Log in

iPhone Portal App IDs

Log into the Apple iPhone Developer website and click the iPhone Provisioning Portal link. From the left menu, click on App IDs and then Configure next to the app you want to regenerate the certificate for. You’ll see your existing certificates and the option to generate a new one. Click the Configure button to launch the wizard.

2) Generate a CSR

I used the CSR I generated for the original APNS certificate but you can generate a new one by following the instructions in the wizard.

3) Generate the certificate

iPhone Portal Generate

After uploading the CSR, the wizard will generate your new certificate. The name will show up as your username rather than what you specify in the CSR. Download it to your system, it will be called aps_production_identity.cer. Double click it to import it into your Keychain.

4. Export certificates / keys

Launch Keychain Assistant from your local Mac and from the login keychain, filter by the Certificates category. You will see an expandable option called “Apple Development Push Services”. You’ll see your old certificate and the new one you just downloaded.

Click the triangle to expand the certificate. You’ll have 2 items – the certificate itself that you just expanded, and the private key that was revealed.

Keychain Export

Right click on the certificate (not the private key) “Apple Development Push Services” > Export “Apple Development Push Services ID123″. Save this as apns-prod-cert.p12 file somewhere you can access it. Then do the same with the private key and save it as apns-prod-key.p12.

For both exports, you will be asked to specify a password, then asked for your keychain password. I did not specify a password on the first prompt.

5) Convert to PEM format

These files now need to be converted to the PEM format by executing these 2 commands from the terminal:

[sourcecode language="bash"]
openssl pkcs12 -clcerts -nokeys -out apns-prod-cert.pem -in apns-prod-cert.p12
openssl pkcs12 -nocerts -out apns-prod-key.pem -in apns-prod-key.p12[/sourcecode]

You will be forced to set a PEM passphrase on the second command, so execute the following command to remove it:

[sourcecode language="bash"]openssl rsa -in apns-prod-key.pem -out apns-prod-key-noenc.pem[/sourcecode]

6) Merge files

Finally, you need to combine the key and cert files into a apns-prod.pem file we will use when connecting to APNS:

[sourcecode language="bash"]cat apns-prod-cert.pem apns-prod-key-noenc.pem > apns-prod.pem[/sourcecode]

And that’s it. You can replace your existing production certificate with the one you just created, and it’ll be valid for another year. Yay.

Free eBook: 4 Steps to Successful DevOps

This eBook will show you how we i) hacked our on-call rotation to increase code resilience, ii) broke our infrastructure, on purpose, to debug quicker and increase uptime, and iii) borrowed practices from the healthcare and aviation industry, to reduce complexity, stress and fatigue. And speaking of stress and fatigue, we’ve devoted an entire chapter on how we placed humans at the centre of Ops, in order to increase their productivity and boost the uptime of the systems they manage. What are you waiting for, download your free copy now.

Help us speak your language. What is your primary tech stack?

What infrastructure do you currently work with?

  • Sho

    Thanks for the detailed instructions. You saved us a ton of work!

    • Happy

      Thank you so much!! I could not find anything online that had this level of detail for exactly what I needed. Other things I read said you had to rebuild your whole app and resubmit it to the App Store as a new version. That was totally not the case. This worked perfectly for me :)

  • This works fine for production certificates but what about renewing development push certificates?

    PS: There is a typo in the post in Step 4. where you mention Development Push Services multiple times but actually you are talking about the Production Push Certificate.

  • Luke

    Thanks for the helpful tutorial! Saved me lots of time!!!

  • You can use the “-nodes” option to export the private key without setting a passphrase.

  • Scarlet Witch

    On merging files, i.e on step 6, I do not get an apns-prod.pem file. Instead i get an error “… … cm1zIGFuZCBjb25kaXRpb25zIG9mIHVzZSwgY2VydGlmaWNhdGUgcG9saWN5IGFu
    cat: apns-prod-key-noenc.pem: No such file or directory”

    Can you help out why? please.

    • Lolo

      substitute the “>” for >
      that will do it.

    • Lolo

      sorry & gt ; for >

      cat apns-prod-cert.pem apns-prod-key-noenc.pem > apns-prod.pem

  • haraldmartin

    Thanks! <333

  • Peter

    Hey ho,

    what happens when the push is certificate expired and you created the NEW with another private key. Can the app store still receive push messages or an update is needed?

  • Ben Guild

    tip: if you’re having weird problems, make sure you’re entering a passphrase of at least 4 characters when generating the PEM from the P12 key file in Step 5. if you don’t, it won’t ask you to verify and it will just create the file anyway while silently failing in reality.

  • Tu Pham

    Im not seeing the usefulness of this ove-complicated process. Why wouldnt you just renew your certificate a month or so before expiry and load it in? Why would I want to have two certificates with overlapping expiries, causing me to have to renew twice a year?

Articles you care about. Delivered.

Help us speak your language. What is your primary tech stack?

Maybe another time