APNs certificates

To enroll and manage iOS devices in Endpoint Management, you set up an Apple Push Notification service (APNs) certificate from Apple.

Note:

  • The APNs certificate from Apple enables mobile device management via the Apple Push Network. If you accidentally or intentionally revoke the certificate, you lose the ability to manage your devices.
  • If you used the iOS Developer Enterprise Program to create a mobile device manager push certificate: You might need to take action due to the migration of existing certificates to the Apple Push Certificates Portal.

The topics that outline the step-by-step procedures are listed in order in this section. Here’s a summary of the process.

Step 1: For Windows, generate a CSR with a Windows Server 2012 R2 or Windows 2008 R2 Server and Microsoft IIS. For Mac, generate a CSR on a Mac computer. Citrix recommends this method.

Step 2: Submit the CSR to Citrix. Citrix signs the CSR with its mobile device management signing certificate and returns the signed file in a .plist format.

Step 3: Submit the signed CSR to Apple and then download the APNs certificate from Apple.

Step 4: Export the APNs certificate as a PCKS #12 (.pfx) certificate (on IIS, Mac, or SSL).

Step 5: Import an APNs certificate into Endpoint Management.

Apple MDM Push Certificate Migration Information

Mobile device management (MDM) push certificates created in the iOS Developer Enterprise Program have been migrated to the Apple Push Certificates Portal. This migration affects the creation of new MDM push certificates and the renewal, revocation, and downloading of existing MDM push certificates. The migration does not affect other (non-MDM) APNs certificates.

If your MDM push certificate was created in the iOS Developer Enterprise Program, the following situations apply:

  • The certificate has been migrated for you automatically.
  • You can renew the certificate in the Apple Push Certificates Portal without affecting your users.
  • You need to use the iOS Developer Enterprise Program to revoke or download a pre-existing certificate.

If your MDM push certificates aren’t near expiration, there is no action required. If you do have an MDM push certificate that is approaching expiration, contact your MDM solution provider. Then, have your iOS Developer Program Agent log on to the Apple Push Certificates Portal with their Apple ID.

All new MDM push certificates must be created in the Apple Push Certificates Portal. The iOS Developer Enterprise Program no longer allows the creation of an App ID with a Bundle Identifier (APNs topic) that contains com.apple.mgmt.

Important:

Keep track of the Apple ID used to create the certificate. In addition, the Apple ID must be a corporate ID and not a personal ID.

To create a CSR by using Microsoft IIS

The first step for generating an APNs certificate request for iOS devices is to create a Certificate Signing Request (CSR). On a Windows 2012 R2 or Windows 2008 R2 Server, you can generate a CSR by using Microsoft IIS.

  1. Open Microsoft IIS.
  2. Double-click the Server Certificates icon for IIS.
  3. In the Server Certificates window, click Create Certificate Request.
  4. Type the appropriate Distinguished Name (DN) information and then click Next.
  5. Select Microsoft RSA SChannel Cryptographic Provider for the Cryptographic Service Provider and 2048 for bit length and then click Next.
  6. Enter a file name and specify a location to save the CSR and then click Finish.

To create a CSR on a Mac computer

  1. On a Mac computer running macOS, under Applications > Utilities, start the Keychain Access application.
  2. Open the Keychain Access menu and then click Preferences.
  3. Click the Certificates tab, change the options for OCSP and CRL to Off and then close the Preferences window.
  4. On the Keychain Access menu, click Certificate Assistant > Request a Certificate From a Certificate Authority.
  5. The Certificate Assistant prompts you to enter the following information:
    • Email Address: Email address of the individual or role account who is responsible for managing the certificate.
    • Common Name: Common name of the individual or a role account who is responsible for managing the certificate.
    • CA Email Address: Email address of the Certificate Authority.
  6. Select the Saved to disk and Let me specify key pair information options and then click Continue.
  7. Enter a name for the CSR file, save the file on your computer, and then click Save.
  8. Specify the key pair information: Select the Key Size of 2048 bits and the RSA algorithm and then click Continue. The CSR file is ready for you to upload as part of the APNs certificate process.
  9. Click Done when the Certificate Assistant completes the CSR process.

To create a CSR by using OpenSSL

If you cannot use a Mac computer or a supported Windows Server and Microsoft IIS to generate a CSR: You can use OpenSSL instead.

To use OpenSSL to create a CSR, first download and install OpenSSL from the OpenSSL website.

  1. On the computer where you installed OpenSSL, execute the following command from a command prompt or shell.

    openssl req -new -keyout Customer.key.pem –out CompanyAPNScertificate.csr -newkey rsa:2048

  2. The following message for certificate naming information appears. Enter the information as requested.

    You are about to be asked to enter information that will be incorporated into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [AU]:US
    State or Province Name (full name) [Some-State]:CA
    Locality Name (eg, city) []:RWC
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:Customer
    Organizational Unit Name (eg, section) [:Marketing
    Common Name (eg, YOUR name) []:John Doe
    Email Address []:john.doe@customer.com
    
  3. At the next message, enter a password for the CSR private key.

    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:
    

To sign the CSR

Before you can submit the certificate to Apple, submit the certificate to Citrix for signing so it can be used with Endpoint Management.

  1. In your browser, go to the Endpoint Management Tools website and then click Request push notification certificate signature.

  2. Click Upload the CSR.

  3. Browse to and select the certificate.

    The certificate must be in .pem/txt format.

  4. On the Endpoint Management APNs CSR Signing page, click Sign. The CSR is signed and automatically saved to your configured download folder.

To submit the signed CSR to Apple to obtain the APNs certificate

After receiving your signed Certificate Signing Request (CSR) from Citrix, submit it to Apple to obtain the APNs certificate.

Note:

Some users have reported problems logging into the Apple Push Portal. As an alternative, you can log on to the Apple Developer Portal before going to the identity.apple.com link in Step 1.

  1. In a browser, go to https://identity.apple.com/pushcert.

  2. Click Create a Certificate.

  3. The first time that you create a certificate with Apple: Select the I have read and agree to these terms and conditions check box and then click Accept.

  4. Click Choose File, browse to the signed CSR on your computer, and then click Upload. A confirmation message indicates that the upload is successful.

  5. Click Download to retrieve the .pem certificate.

    If you are using Internet Explorer and the file name extension is missing, click Cancel two times and then download from the next window.

To create a .pfx APNs certificate by using Microsoft IIS

To use the APNs certificate from Apple with Endpoint Management: Complete the certificate request in Microsoft IIS, export the certificate as a PCKS #12 (.pfx) file, and then import the APNs certificate into Endpoint Management.

Important:

Use the same IIS server for this task as the server you used to generate the CSR.

  1. Open Microsoft IIS.

  2. Click the Server Certificates icon.

  3. In the Server Certificates window, click Complete Certificate Request.

  4. Browse to the Certificate.pem file from Apple. Then, type a friendly name or the certificate name and click OK. Don’t include space characters in the name.

  5. Select the certificate that you identified in Step 4 and then click Export.

  6. Specify a location and file name for the .pfx certificate and a password and then click OK.

    You need the password for the certificate during Endpoint Management installation.

  7. Copy the .pfx certificate to the server on which you plan to install Endpoint Management.

  8. Sign on to the Endpoint Management console as an administrator.

  9. In the Endpoint Management console, click the gear icon in the upper-right corner of the console. The Settings page appears.

  10. Click Certificates. The Certificates page appears.

  11. Click Import. The Import dialog box appears.

  12. From the Import menu, choose Keystore.

  13. From Use as, choose APNs.

  14. In Keystore file, select the keystore file you want to import by clicking Browse and navigating to the file’s location.

  15. In Password, type the password assigned to the certificate.

  16. Click Import.

To create a .pfx APNs certificate on a Mac computer

  1. On the same Mac computer running macOS that you used to generate the CSR, locate the Production identity (.pem) certificate that you received from Apple.

  2. Double-click the certificate file to import the file into the keychain.

  3. If you are prompted to add the certificate to a specific keychain, keep the default login keychain selected and then click OK. The newly added certificate appears in your list of certificates.

  4. Click the certificate and then on the File menu, click Export to begin exporting the certificate into a PCKS #12 (.pfx) certificate.

  5. Give the certificate file a unique name for use with the Endpoint Management server. Don’t include space characters in the name. Then, choose a folder location for the saved certificate, select the .pfx file format, and click Save.

  6. Enter a password for exporting the certificate. Citrix recommends that you use a unique, strong password. Also, be sure to keep the certificate and password safe for later use and reference.

  7. The Keychain Access application prompts you for the login password or selected keychain. Enter the password and then click OK. The saved certificate is now ready for use with the Endpoint Management server.

    Note:

    If you don’t plan to keep the computer and user account that you originally used to generate the CSR and complete the certificate export process: Citrix recommends that you save or export the Personal and Public Keys from the local system. Otherwise, access to the APNs certificates for reuse is voided and you must then repeat the entire CSR and APNs process.

To create a .pfx APNs certificate by using OpenSSL

After you use OpenSSL to create a Certificate Signing Request (CSR), you can also use OpenSSL to create a .pfx APNs certificate.

  1. At a command prompt or shell, execute the following command.

    openssl pkcs12 -export -in MDM_Zenprise_Certificate.pem -inkey Customer.key.pem -out apns_identity.p12

  2. Enter a password for the .pfx certificate file. Remember this password because you use the password again when you upload the certificate to Endpoint Management.

  3. Note the location for the .pfx certificate file. Then, copy the file to the Endpoint Management server so you can use the console to upload the file.

To import an APNs certificate into Endpoint Management

After you request and receive a new APNs certificate: Import the APNs certificate into Endpoint Management to either add the certificate for the first time or to replace a certificate.

  1. In the Endpoint Management console, click the gear icon in the upper-right corner of the console. The Settings page appears.
  2. Click Certificates. The Certificates page appears.
  3. Click Import. The Import dialog box appears.
  4. From the Import menu, choose Keystore.
  5. From Use as, choose APNs.
  6. Browse to the .p12 file on your computer.
  7. Enter a password and then click Import.

For more information about certificates in Endpoint Management, see Certificates and authentication.

To renew an APNs certificate

To renew an APNs certificate, perform the same steps you would if you were creating a certificate. Then, visit the Apple Push Certificates Portal and upload the new certificate. After logging on, you see your existing certificate or you might see a certificate that was imported from your previous Apple Developers account.

On the Certificates Portal, the only difference when renewing the certificate is that you click Renew. You must have a developer account with the Certificates Portal to access the site. When you are renewing your certificate, ensure that you use the same organization name and Apple ID.

To determine when your APNs certificate expires, in the Endpoint Management console, click Configure > Settings > Certificates. If the certificate is expired, however, do not revoke the certificate.

  1. Generate a CSR, using IIS (Microsoft), OpenSSL, or Keychain Access (macOS).
  2. In your browser, go to the Endpoint Management Tools website and then click Request push notification certificate signature.
  3. Click + Upload the CSR. Then, in the dialog box, navigate to the CSR, click Open, and click Sign.
  4. When you receive a .plist file, save it.
  5. Click Apple Push Certificates Portal and sign on.
  6. Select the certificate that you want to renew and click Renew.
  7. Upload the .plist file. You receive a .pem file as the output. Save the .pem file.
  8. Using that .pem file, complete the CSR (according to the method you used to create the CSR in Step 1).
  9. Export the certificate as a .pfx file.

In the Endpoint Management console, import the .pdx file and complete the configuration as follows:

  1. Go to Settings > Certificate Management.
  2. On the Certificates page, click Import.
  3. From the Import menu, choose Keystore.
  4. From Keystore type, choose PKCS #12.
  5. From Use as, choose APNs.
  6. For Keystore file, click Browse and navigate to the file.
  7. In Password, type the certificate password.
  8. Type an optional Description.
  9. Click Import.

Endpoint Management redirects you back to the Certificates page. The Name, Status, Valid from, and Valid to fields update.