Updating your Apple Push Notification Service certificates

Just a quick checklist to get up to speed when your APN certificates expire.

1. Login into the Provisioning Portal, click “App IDs” on the left side column
2. Click “Configure” on the App ID of your app
3. Click Revoke for the expired Push SSL certificate
4. Open Keychain Access on your Mac. Click the “My Certificates”, find the expired cert and just delete it.
5. From the Provisioning Portal, start creating a brand new Push SSL certificate. Just follow the instructions.
6. Don’t forget to download the signed cert and double-click it to install it (aps_developer_identity.cer) in your default keychain.
7. Select My Certificates, find the newly created cert, click the disclose triangle. Then:
   • Right-click on the private key entry without selecting the parent, and select Export. A .p12 file will be saved.
   • Right-click on the actual certificate without selecting the child key, and select Export. Another .p12 file will be saved. UPDATE 2017: it looks like you don’t need to do this anymore. The cert file includes a bag with both cert and key, so deploying that should work.
8. If your server requires .pem style certificates, run this:

   $ openssl pkcs12 -in apn_cert.p12 -out apn_cert.pem -nodes
   $ openssl pkcs12 -in apn_key.p12 -out apn_key.pem -nodes

9. Deploy the .pem files in the right location accessible by your application server that will be sending the Push notifications.
10. UPDATE (2015): it seems like each exported files contains both key and certificate now and therefore are identical. I don’t recall that being the case at the time of this writing.

Now push notifications should be up and running once again.

Advertisement