Product Documentation

Requesting an APNS Certificate

Oct 20, 2015

In order to enroll and manage iOS devices with Device Manager, you need to set up and create an Apple Push Notification Service (APNS) certificate from Apple. This section outlines the following basic steps for requesting the APNS certificate:

  • Use a Windows 2008 R2 Server and Microsoft Internet Information Server (IIS) or a Mac computer to generate a certificate signing request (CSR).
  • Request an APNS certificate from Apple.
  • Import the certificate to Device Manager.
Note:
  • The APNS certificate from Apple enables mobile device management via the Apple Push Network. If you accidentally or intentionally revoke the certificate, you will lose the ability to manage your devices.
  • If you used the iOS Developer Enterprise Program to create a Mobile Device Manager push certificate, you may need to take action due to the migration of existing certificates to the Apple Push Certificates Portal. For details, see Apple MDM Push Certificate Migration Information.

The topics that outline the step-by-step procedures are listed in order in this section as follows:

Create a CSR on IIS

Create a CSR on a Mac

Generate a CSR with a Windows 2008 R2 Server and Microsoft IIS or on a Mac computer. Citrix recommends this method.
Submit a CSR to Citrix for Signing Submit the CSR to Citrix at the XenMobile APNs CSR Signing website (MyCitrix ID required). Citrix signs the CSR with its mobile device management signing certificate and returns the signed file in a .plist format.
Submit Signed CSR to Apple Submit the signed CSR to Apple at Apple Push Certificate Portal (Apple ID required) and then download the APNS certificate from Apple.
To create a .pfx APNS certificate by using Microsoft IIS

To create a .pfx APNS certificate on a Macintosh computer

Create a .pfx APNS certificate by using OpenSSL

Export the APNs certificate as a PCKS #12 (.pfx) certificate (on IIS, Mac, or SSL).
Import an APNS certificate into Device Manager Import the certificate into Device Manager.

Apple MDM Push Certificate Migration Information

MDM push certificates created in the iOS Developer Enterprise Program have been migrated to the Apple Push Certificates Portal. This migration affects the creation of new MDM push certificates and the renewal, revocation, and downloading of existing MDM push certificates. The migration does not affect other (non-MDM) APNS certificates.

If your MDM push certificate was created in the iOS Developer Enterprise Program, the following situations apply:
  • The certificate has been migrated for you automatically.
  • You can renew the certificate in the Apple Push Certificates Portal without affecting your users.
  • You need to use the iOS Developer Enterprise Program to revoke or download a preexisting certificate.

If none of your MDM push certificates is near expiration, you don't need to do anything. If you do have an MDM push certificate that is approaching expiration, contact your MDM solution provider. Then, have your iOS Developer Program Agent log on to the Apple Push Certificates Portal with their Apple ID.

All new MDM push certificates must be created in the Apple Push Certificates Portal. The iOS Developer Enterprise Program will no longer allow the creation of an App ID with a Bundle Identifier (APNS topic) that contains com.apple.mgmt.
Note: You must keep track of the Apple ID used to create the certificate. In addition, the Apple ID should be a corporate ID and not a personal ID.

To create a CSR by using Microsoft IIS

The first step for generating an APNS certificate request for iOS devices is to create a Certificate Signing Request (CSR). On a Windows 2008 R2 Server, you can generate a CSR by using Microsoft IIS.

  1. Open Microsoft IIS.
  2. Double-click the Server Certificates icon for IIS.
  3. In the Server Certificates window, click Create Certificate Request.
  4. Type the appropriate Distinguished Name (DN) information and then click Next.
  5. Select Microsoft RSA SChannel Cryptographic Provider for the Cryptographic Service Provider and 2048 for bit length and then click Next.
  6. Enter a file name and specify a location to save the CSR and then click Finish.

To create a CSR on a Macintosh computer

  1. On a Macintosh computer running Mac OS X, under Applications > Utilities, start the Keychain Access application.
  2. Open the Keychain Access menu and then click Preferences.
  3. Click the Certificates tab, change the options for OCSP and CRL to Off and then close the Preferences window.
  4. On the Keychain Access menu, click Certificate Assistant > Request a Certificate From a Certificate Authority.
  5. The Certificate Assistant prompts you to enter the following information:
    1. Email Address. Email address of the individual or role account who is responsible for managing the certificate.
    2. Common Name. Common name of the individual or a role account who is responsible for managing the certificate.
    3. CA Email Address. Email address of the Certificate Authority.
  6. Select the Saved to disk and Let me specify key pair information options.
  7. Click Continue.
  8. Enter a name for the CSR file, save the file on your computer and then click Save.
  9. Specify the key pair information by selecting the Key Size of 2048 bits and the RSA algorithm and then click Continue. The CSR file is ready for you to upload as part of the APNS certificate process.
  10. Click Done when the Certificate Assistant completes the CSR process.

To create a CSR by using OpenSSL

If you cannot use a Windows 2008 R2 Server and Microsoft Internet Information Server (IIS) or a Mac computer to generate a Certificate Signing Request (CSR) to submit to Apple for the Apple Push Notification service (APNS) certificate, you can use OpenSSL.
Note: In order to use OpenSSL to create a CSR, you need to first download and install OpenSSL from the OpenSSL website.
  1. On the computer where you installed OpenSSL, execute the following command from a command prompt or shell.
    openssl req -new -keyout Customer.key.pem –out CompanyAPNScertificate.csr -newkey rsa:2048
  2. The following message for certificate naming information appears. Enter the information as requested.
    You are about to be asked to enter information that will be incorporated 
    into your certificate request. 
    What you are about to enter is what is called a Distinguished Name or a DN. 
    There are quite a few fields but you can leave some blank 
    For some fields there will be a default value, 
    If you enter '.', the field will be left blank. 
    ----- 
    Country Name (2 letter code) [AU]:US 
    State or Province Name (full name) [Some-State]:CA 
    Locality Name (eg, city) []:RWC 
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:Customer 
    Organizational Unit Name (eg, section) []:Marketing 
    Common Name (eg, YOUR name) []:John Doe 
    Email Address []:john.doe@customer.com 
     
  3. At the next message, enter a password for the CSR private key.
    Please enter the following 'extra' attributes 
    to be sent with your certificate request 
    A challenge password []: 
    An optional company name []:
  4. Send the resulting CSR to Citrix.
Citrix prepares the signed CSR and returns the file to you through email.

To submit the CSR to Citrix for signing

Before you can submit the certificate to Apple, you need to send the newly created Certificate Signing Request (CSR) to Citrix for signing so that the certificate can be used with Device Manager. To send the certificate to Citrix, open a Technical Support case using the Citrix Support portal and attach the CSR to the case. If your request is urgent, call the appropriate Technical Support phone number for immediate support. Citrix will return the signed file to you as a .plist file.

To submit the signed CSR to Apple to obtain the APNS certificate

After receiving your Certificate Signing Request (CSR) from Citrix, you need to submit it to Apple to obtain the APNS certificate.

Note: Some users have reported problems logging into the Apple Push Portal. As an alternative, you can log on to the Apple Developer Portal (http://developer.apple.com/devcenter/ios/index.action) before going to the identity.apple.com link in step 1.
  1. In a browser, go to https://identity.apple.com/pushcert.
  2. Click Create a Certificate.
  3. If this is the first time you are creating a certificate with Apple, select the I have read and agree to these terms and conditions check box and then click Accept.
  4. Click Choose File to upload your CSR, browse to the CSR on your computer and then click Upload. A confirmation message should appear stating that the upload is successful.
  5. Click Download to retrieve the .pem certificate.
    Note: If you are using Internet Explorer and the file extension is missing, click Cancel two times and then download from the next window.

To create a .pfx APNS certificate by using Microsoft IIS

To use the APNS certificate from Apple with Device Manager, you need to complete the certificate request in Microsoft IIS, export the certificate as a PCKS #12 (.pfx) file and then import the APNS certificate into Device Manager.
Important: You need to use the same IIS server for this task as the server you used to generate the CSR.
  1. Open Microsoft IIS.
  2. Click the Server Certificates icon.
  3. In the Server Certificates window, click Complete Certificate Request.
  4. Browse to the Certificate.pem file from Apple. Type a friendly name or the certificate name and then click OK.
  5. Select the certificate that you identified in Step 4 and then click Export.
  6. Specify a location and file name for the .pfx certificate and a password and then click OK.
    Note: You will need the password for the certificate during the installation of Device Manager.
  7. Copy the .pfx certificate to the server on which Device Manager will be installed.
  8. Log on to the Device Manager web console as an administrator or as a user with access to the About tab.
  9. Click the About tab and then click Update APNS Certificate.
  10. In the Update APNS Certificate dialog box, browse to the APNS certificate .pfx file on your computer and then enter a new password.
  11. Click Load APNS Certificate.
  12. Click Update.

To create a .pfx APNS certificate on a Macintosh computer

  1. On the same Macintosh computer running Mac OS X that you used to generate the CSR, locate the Production identity (.pem) certificate that you received from Apple.
  2. Double-click the certificate file to import the file into the keychain.
  3. If you are prompted to add the certificate to a specific keychain, keep the default login keychain selected and then click OK. The newly added certificate will appear in your list of certificates.
  4. Click the certificate and then on the File menu, click Export to begin exporting the certificate into a PCKS #12 (.pfx) certificate.
  5. Give the certificate file a unique name for use with the Device Manager server, choose a folder location for the saved certificate, select the .pfx file format and then click Save.
  6. Enter a password for exporting the certificate. Citrix recommends that you use a unique, strong password. Also, be sure to keep the certificate and password safe for later use and reference.
  7. The Keychain Access application will prompt you for the login password or selected keychain. Enter the password and then click OK. The saved certificate is now ready for use with the Device Manager server.
    Note: If you don’t plan to keep and preserve the computer and user account that you originally used to generate the CSR and complete the certificate export process, Citrix recommends that you save or export the Personal and Public Keys from the local system. Otherwise, access to the APNS certificates for reuse will be voided and you will have to repeat the entire CSR and APNS process.

To create a .pfx APNS certificate by using OpenSSL

After you use OpenSSL to create a Certificate Signing Request (CSR), you can also use OpenSSL to create a .pfx APNS certificate.
  1. At a command prompt or shell, execute the following command.
    openssl pkcs12 -export -in MDM_Zenprise_Certificate.pem -inkey Customer.key.pem -out apns_identity.p12
  2. Enter a password for the .pfx certificate file. Remember this password because you need to use the password again when you upload the certificate to Device Manager.
  3. Note the location for the .pfx certificate file and then copy the file to the Device Manager server, so you can use the Device Manager web console to upload the file.

To import an APNS certificate into Device Manager

After you have requested and received a new APNS certificate, you import the APNS certificate into Device Manager to either add the certificate for the first time or to replace an existing certificate.
  1. Log on to the Device Manager web console as an administrator or as a user with access to the About tab.
  2. Click the About tab and then click Update APNS Certificate.
  3. In the Update APNS Certificate dialog box, browse to the .p12 file on your computer and then enter a new password.
  4. Click Load APNS Certificate.
  5. Click Update.

To renew an APNS certificate

To renew an APNS certificate, you need to perform the same steps you would if you were creating a new certificate. Then, you visit the Apple Push Certificates Portal and upload the new certificate. After logging on, you see your existing certificate or you may see a certificate that was imported from your previous Apple Developers account. On the Certificates Portal, the only difference when renewing the certificate is that you click Renew. You must have a developer account with the Certificates Portal in order to access the site.
Note: To determine when your APNS certificate expires, in Device Manager, click the About tab and then look in the APNS certificate information section. If the certificate is expired, however, do not revoke the certificate.
  1. Generate a CSR using Microsoft Internet Information Services (IIS).
  2. At the XenMobile APNs CSR Signing website, upload the new CSR and then click Sign
  3. Submit the signed CSR to Apple at Apple Push Certificate Portal.
  4. Click Renew.
  5. Generate a PCKS #12 (.pfx) APNS certificate using Microsoft IIS.
  6. Update the new APNS certificate to the Device Manager server. Log on to the Device Manager web console, click the About tab and then click Update APNS Certificate.
  7. In the Update the APNS Certificate dialog box, locate the APNS file, enter the certificate password and then click Update.