Product Documentation

Requesting an APNs Certificate

Feb 23, 2016

In order to enroll and manage iOS devices with XenMobile, you need to set up and create an Apple Push Notification service (APNs) certificate from Apple. This section outlines the following basic steps for requesting the APNs certificate:

  • Use a Windows Server 2012 R2 or Windows 2008 R2 Server and Microsoft Internet Information Server (IIS) or a Mac computer to generate a Certificate Signing Request (CSR).
  • Have Citrix sign the CSR.
  • Request an APNs certificate from Apple.
  • Import the certificate to XenMobile.
Note:
  • The APNs certificate from Apple enables mobile device management via the Apple Push Network. If you accidentally or intentionally revoke the certificate, you will lose the ability to manage your devices.
  • If you used the iOS Developer Enterprise Program to create a mobile device manager push certificate, you may need to take action due to the migration of existing certificates to the Apple Push Certificates Portal.

The topics that outline the step-by-step procedures are listed in order in this section as follows:

Step 1

Create a CSR on IIS

Create a CSR on a Mac

Generate a CSR with a Windows Server 2012 R2 or Windows 2008 R2 Server and Microsoft IIS or on a Mac computer. Citrix recommends this method.

Step 2

To sign the CSR Submit the CSR to Citrix at the XenMobile APNs CSR Signing website (MyCitrix ID required). Citrix signs the CSR with its mobile device management signing certificate and returns the signed file in a .plist format.

Step 3

Submit Signed CSR to Apple Submit the signed CSR to Apple at Apple Push Certificate Portal (Apple ID required) and then download the APNs certificate from Apple.

Step 4

To create a .pfx APNs certificate by using Microsoft IIS

To create a .pfx APNs certificate on a Mac computer

Create a .pfx APNs certificate by using OpenSSL

Export the APNs certificate as a PCKS #12 (.pfx) certificate (on IIS, Mac, or SSL).

Step 5

Import an APNs certificate into XenMobile Import the certificate into XenMobile.

Apple MDM Push Certificate Migration Information

Mobile device management (MDM) push certificates created in the iOS Developer Enterprise Program have been migrated to the Apple Push Certificates Portal. This migration affects the creation of new MDM push certificates and the renewal, revocation, and downloading of existing MDM push certificates. The migration does not affect other (non-MDM) APNs certificates.

If your MDM push certificate was created in the iOS Developer Enterprise Program, the following situations apply:

  • The certificate has been migrated for you automatically.
  • You can renew the certificate in the Apple Push Certificates Portal without affecting your users.
  • You need to use the iOS Developer Enterprise Program to revoke or download a preexisting certificate.

If none of your MDM push certificates is near expiration, you don't need to do anything. If you do have an MDM push certificate that is approaching expiration, contact your MDM solution provider. Then, have your iOS Developer Program Agent log on to the Apple Push Certificates Portal with their Apple ID.

All new MDM push certificates must be created in the Apple Push Certificates Portal. The iOS Developer Enterprise Program will no longer allow the creation of an App ID with a Bundle Identifier (APNs topic) that contains com.apple.mgmt.

Note: You must keep track of the Apple ID used to create the certificate. In addition, the Apple ID should be a corporate ID and not a personal ID.

To create a CSR by using Microsoft IIS

The first step for generating an APNs certificate request for iOS devices is to create a Certificate Signing Request (CSR). On a Windows 2012 R2 or Windows 2008 R2 Server, you can generate a CSR by using Microsoft IIS.

  1. Open Microsoft IIS.
  2. Double-click the Server Certificates icon for IIS.
  3. In the Server Certificates window, click Create Certificate Request.
  4. Type the appropriate Distinguished Name (DN) information and then click Next.
  5. Select Microsoft RSA SChannel Cryptographic Provider for the Cryptographic Service Provider and 2048 for bit length and then click Next.
  6. Enter a file name and specify a location to save the CSR and then click Finish.

To create a CSR on a Mac computer

  1. On a Mac computer running Mac OS X, under Applications > Utilities, start the Keychain Access application.
  2. Open the Keychain Access menu and then click Preferences.
  3. Click the Certificates tab, change the options for OCSP and CRL to Off and then close the Preferences window.
  4. On the Keychain Access menu, click Certificate Assistant > Request a Certificate From a Certificate Authority.
  5. The Certificate Assistant prompts you to enter the following information:
    1. Email Address. Email address of the individual or role account who is responsible for managing the certificate.
    2. Common Name. Common name of the individual or a role account who is responsible for managing the certificate.
    3. CA Email Address. Email address of the Certificate Authority.
  6. Select the Saved to disk and Let me specify key pair information options and then click Continue.
  7. Enter a name for the CSR file, save the file on your computer and then click Save.
  8. Specify the key pair information by selecting the Key Size of 2048 bits and the RSA algorithm and then click Continue. The CSR file is ready for you to upload as part of the APNs certificate process.
  9. Click Done when the Certificate Assistant completes the CSR process.

To create a CSR by using OpenSSL

If you cannot use a Windows 2012 R2 or Windows 2008 R2 Server and Microsoft Internet Information Server (IIS) or a Mac computer to generate a Certificate Signing Request (CSR) to submit to Apple for the Apple Push Notification service (APNs) certificate, you can use OpenSSL.

Note: In order to use OpenSSL to create a CSR, you need to first download and install OpenSSL from the OpenSSL website.

  1. On the computer where you installed OpenSSL, execute the following command from a command prompt or shell.

    openssl req -new -keyout Customer.key.pem –out CompanyAPNScertificate.csr -newkey rsa:2048

  2. The following message for certificate naming information appears. Enter the information as requested.

    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [AU]:US
    State or Province Name (full name) [Some-State]:CA
    Locality Name (eg, city) []:RWC
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:Customer
    Organizational Unit Name (eg, section) []:Marketing
    Common Name (eg, YOUR name) []:John Doe
    Email Address []:john.doe@customer.com

  3. At the next message, enter a password for the CSR private key.

    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:

  4. Send the resulting CSR to Citrix.

Citrix prepares the signed CSR and returns the file to you through email.

To sign the CSR

Before you can submit the certificate to Apple, it needs to be signed by Citrix so it can be used with XenMobile.

  1. In your browser, go to the XenMobile APNs CSR Signing website.
  2. Click Upload the CSR.
  3. Browse to and select the certificate.

    Note: The certificate must be in .pem/txt format.

  4. On the XenMobile APNs CSR Signing page, click Sign. The CSR is signed and automatically saved to your configured download folder.

To submit the signed CSR to Apple to obtain the APNs certificate

After receiving your signed Certificate Signing Request (CSR) from Citrix, you need to submit it to Apple to obtain the APNs certificate.

Note: Some users have reported problems logging into the Apple Push Portal. As an alternative, you can log on to the Apple Developer Portal (http://developer.apple.com/devcenter/ios/index.action) before going to the identity.apple.com link in Step 1.

  1. In a browser, go to https://identity.apple.com/pushcert.
  2. Click Create a Certificate.
  3. If this is the first time you are creating a certificate with Apple, select the I have read and agree to these terms and conditions check box and then click Accept.
  4. Click Choose File, browse to the signed CSR on your computer and then click Upload. A confirmation message should appear stating that the upload is successful.
  5. Click Download to retrieve the .pem certificate.

    Note: If you are using Internet Explorer and the file extension is missing, click Cancel two times and then download from the next window.

To create a .pfx APNs certificate by using Microsoft IIS

To use the APNs certificate from Apple with XenMobile, you need to complete the certificate request in Microsoft IIS, export the certificate as a PCKS #12 (.pfx) file and then import the APNs certificate into XenMobile.

Important: You need to use the same IIS server for this task as the server you used to generate the CSR.

  1. Open Microsoft IIS.
  2. Click the Server Certificates icon.
  3. In the Server Certificates window, click Complete Certificate Request.
  4. Browse to the Certificate.pem file from Apple. Then, type a friendly name or the certificate name and click OK.
  5. Select the certificate that you identified in Step 4 and then click Export.
  6. Specify a location and file name for the .pfx certificate and a password and then click OK.

    Note: You will need the password for the certificate during the installation of XenMobile.

  7. Copy the .pfx certificate to the server on which XenMobile will be installed.
  8. Sign on to the XenMobile console as an administrator or as a user with access to the About tab.
  9. Click the About tab and then click Update APNs Certificate.
  10. In the Update APNs Certificate dialog box, browse to the APNs certificate .pfx file on your computer and then enter a new password.
  11. Click Load APNs Certificate.
  12. Click Update.

To create a .pfx APNs certificate on a Mac computer

  1. On the same Mac computer running Mac OS X that you used to generate the CSR, locate the Production identity (.pem) certificate that you received from Apple.
  2. Double-click the certificate file to import the file into the keychain.
  3. If you are prompted to add the certificate to a specific keychain, keep the default login keychain selected and then click OK. The newly added certificate will appear in your list of certificates.
  4. Click the certificate and then on the File menu, click Export to begin exporting the certificate into a PCKS #12 (.pfx) certificate.
  5. Give the certificate file a unique name for use with the XenMobile server, choose a folder location for the saved certificate, select the .pfx file format and then click Save.
  6. Enter a password for exporting the certificate. Citrix recommends that you use a unique, strong password. Also, be sure to keep the certificate and password safe for later use and reference.
  7. The Keychain Access application will prompt you for the login password or selected keychain. Enter the password and then click OK. The saved certificate is now ready for use with the XenMobile server.

    Note: If you don't plan to keep and preserve the computer and user account that you originally used to generate the CSR and complete the certificate export process, Citrix recommends that you save or export the Personal and Public Keys from the local system. Otherwise, access to the APNs certificates for reuse will be voided and you will have to repeat the entire CSR and APNs process.

To create a .pfx APNs certificate by using OpenSSL

After you use OpenSSL to create a Certificate Signing Request (CSR), you can also use OpenSSL to create a .pfx APNs certificate.

  1. At a command prompt or shell, execute the following command.

    openssl pkcs12 -export -in MDM_Zenprise_Certificate.pem -inkey Customer.key.pem -out apns_identity.p12

  2. Enter a password for the .pfx certificate file. Remember this password because you need to use the password again when you upload the certificate to XenMobile.
  3. Note the location for the .pfx certificate file and then copy the file to the XenMobile server, so you can use the XenMobile console to upload the file.

To import an APNs certificate into XenMobile

After you have requested and received a new APNs certificate, you import the APNs certificate into XenMobile to either add the certificate for the first time or to replace an existing certificate.

  1. Sign on to the XenMobile console as an administrator.
  2. Click Configure > Settings > Certificates.
  3. On the Certificates page, click Import. The Import dialog box appears.
  4. Browse to the .p12 file on your computer.
  5. Enter a password and then click Import.

For more information about certificates in XenMobile, see the Certificates section.

To renew an APNs certificate

To renew an APNs certificate, you need to perform the same steps you would if you were creating a new certificate. Then, you visit the Apple Push Certificates Portal and upload the new certificate. After logging on, you see your existing certificate or you may see a certificate that was imported from your previous Apple Developers account. On the Certificates Portal, the only difference when renewing the certificate is that you click Renew. You must have a developer account with the Certificates Portal in order to access the site.

Note: To determine when your APNs certificate expires, in the XenMobile console, click Configure > Settings > Certificates. If the certificate is expired, however, do not revoke the certificate.

  1. Generate a CSR using Microsoft Internet Information Services (IIS).
  2. At the XenMobile APNs CSR Signing website, upload the new CSR and then click Sign.
  3. Submit the signed CSR to Apple at Apple Push Certificate Portal.
  4. Click Renew.
  5. Generate a PCKS #12 (.pfx) APNs certificate using Microsoft IIS.
  6. Update the new APNs certificate to XenMobile in Configure > Settings > Certificates.
  7. In Import dialog box, import the new certificate.