Parent topic: The APNS class
Specific classes / The APNS class

APNs SSL certificate

Get and configure an SSL certificate to establish secure connections to the Apple Push Notification service.

Basics

The Apple Push Notification Certificate identifies the push notification service for a given mobile app. This certificate will be created from an App ID (a.k.a. Bundle ID) and is used by the APNs system to dispatch the notification message to the registered devices.

You can create two type of APNs certificates for a given App ID:
  • Sandbox (for development and test purpose)
  • Production (for deployment)
An APNS push notification provider or an APNS feedback handler needs to establish a secure connection to Apple's APNs server.

Get an APNs certificate for your app

In this section we will produce the myapp.cer file and myapp-key.p12 file.

To create an Apple Push Notification Certificate:

  1. Log to Apple's Member Center with you iOS developer or enterprise account,
  2. Select Certificates, Identifiers & Profiles,
  3. Under Certificates, select the + symbol,
  4. Select Apple Push Notification service SSL (Sandbox) for development, or Apple Push Notification service SSL (Production) for production,
  5. You need to choose the explicit app ID you want to use for push notifications. Verify before that you enable Push Notification Service for this app ID (go to App IDs section and edit your app ID),
  6. Follow the instructions on the page to create a CSR file then click Continue,
  7. Your certificate request is now available. Now you can go back to the Development Certificate section still active in your browser and click Choose file,
  8. Navigate to the file you just saved and choose that file,
  9. Click Generate,
  10. Once the certificate is generated, click Download. The certificate will download into your Downloads folder, as a .cer file (for ex: myapp.cer).
  11. Double-click this file to install it into Keychain,
  12. When done, your new certificate should be listed in the Certificates list,
  13. Open your Keychain app and locate the certificate you created, export the private key in p12 format (for ex myapp-key.p12). Note that you will be asked for a password to encode the .p12 file, and for your session password, to exported Keychain files.

Configure Genero to use the APNs certificate

On the Genero push provider server, you will need the public certificate (myapp.crt file) and the private key (myapp-key.pem file) for you app. These files will be referenced in the security.global.certificate and security.global.privatekey entries of FGLPROFILE.

In order to authenticate the APNs server, you will also need the root certificate authority (apple_entrust_root_certification_authority.pem), that can be downloaded from Apple's web site. This file will be referenced by the security.global.ca entry in FGLPROFILE.
Note: When executing on a Mac, the root certificate (security.global.ca entry) is not required: The Web Services library reads the Keystore of the Mac computer, to authenticate the APNs server.
Create the myapp.crt file (public certificate) from the myapp.cer file, with the openssl x509 command:
$ openssl x509 -in myapp.cer -inform der -out myapp.crt
Convert the myapp-key.p12 file (containing the private key) to a myapp-key.pem format, with the openssl pkcs12 command:
$ openssl pkcs12 -nocerts -in myapp-key.p12 -out myapp-key.pem
Note: You need to enter the passphrase for the .p12 file so that openssl can read it. Then you need to enter a new passphrase that will be used to encrypt the .pem file.
FGLPROFILE entries require encrypted private key files, therefore you need to remove the passphrase from the myapp-key.pem file, with the openssl rsa command:
$ openssl rsa -in myapp-key.pem -out myapp-key-noenc.pem
Set up your FGLPROFILE with the appropriate security.* entries:
security.global.ca           = "apple_entrust_root_certification_authority.pem"
security.global.certificate  = "myapp.crt"
security.global.privatekey   = "myapp-key-noenc.pem"
In the above example:
  1. apple_entrust_root_certification_authority.pem is the HTTPS root certificate authenticating the APNs server (if the computer is not a Mac).
  2. myapp.crt is the public certificate for your app.
  3. myapp-key-noenc.pem is the private key for your app.
Note: If you want to keep the private key encrypted, you need to configure a password agent, as described in Using the password agent
Parent topic: The APNS class