Skip to main content

APNs Certificate Creation & Renewal on macOS Computers (XCA)

Description

Apple Mobile Device Management (MDM) requires an Apple Push Notification service (APNs) certificate; renewable yearly.

APNs Expiry
If APNs certificates are allowed to expire, all MDM communication will be lost, until renewed.

The followingThis guide providesexplains the stepshow to create andthe renewApple Push Notification Service (APNS) certificate for FileWave using an APNsonline CSR generator and the XCA certificate usingmanagement tool, instead of the Apple Keychain. The Apple Keychain often causes issues with private key handling on newer macOS withversions, Keychainso app.this method provides a more reliable alternative. You may use any online CSR generator (for example ssl.com), it does not have to be ssl.com specifically.

APNs Topic
An APNs certificate has a unique topic, in the form of a hexadecimal string, and belongs to the Apple ID used to create the certificate.  When renewing, the topic must match to ensure devices continue to communicate with the server.  As such, not only must the same Apple ID be used when renewing an APNs certificate, but the current certificate must also be selected for renewal.

Step-By-Step Guide

CreatingPrerequisites

  • Access to the Apple Push Certificates Portal (https://identity.apple.com/pushcert/).
  • A valid Apple Business/School Manager account or Apple ID.
  • Access to the FileWave Admin console.
  • Installed XCA tool.

Step 1: Generate CSR (Certificate Signing Request (CSR)Request)

  1. Open Keychainthe Access,CSR locatedgenerator in:at Applicationsssl.com.

  2. ž>
  3. Enter Utilitiesthe required Keychaindetails: Access.app.

    • Common Name (CN): e.g. FileWave APNS
    • Organization (O): your company or school name
    • Organizational Unit (OU): optional, e.g. IT Department
    • Country (C): two-letter ISO code (e.g. DE)
  4. Create a CSR. Keychain Access > žCertificate Assistant > žRequest a Certificate from a Certificate Authority... 

    image.png

  5. Enter the AppleID and Server name that you are going to be associating with this certificate in the "Common Name" field.


    Common Name
    Certificate Private Key names are visible in Keychain and the Common Name is used to set the Private Key name.  Supplying the Apple ID and Server as the Common Name, ensures the Apple ID used to generate the certificate will be stored for future reference.


    image.png

  6. Select the radio button "Saved to disk" and click Continue. 

  7. SaveGenerate the CSR request,and ready to upload to FileWave indownload the nextfiles: section.

      Certificate

    • CSR Storage
      Considerfile creating(.csr)
    • a
    • Private secureKey location(.key)
    • to store the created certificates and sub divide them using the date or year, e.g folder named: 'MDM APNs certificates 2020'.

⚠️ Keep the .key file safe – you will need it later in XCA.

Step 2: Sign the CSR with FileWave

Before the CSR requestscan be uploaded to Apple, it must be signed beforeby uploading to Apple.  FileWave has a portal for this process, which requires an active FileWave account.FileWave.

  1. Navigate to https://csr.filewave.com/ and login.log in with your FileWave account.
  2. Upload the previously created CSR..csr file.
  3. 'Under Download signed CSR'CSR, your uploaded CSR should list this uploaded and now signedappear CSR.as signed.
  4. Download this newly signed CSR,CSR ready forthis is the file you will upload to Apple in the next section.step.
  5. Again
  6. Store considerthe wherefile thisin certificatea issecure stored.location.

image.png

Step 3: Upload the signed FileWave CSR to Apple

Creating a new Certificate

If you are renewing a certificate then jump to Renewing a Certificate

Creating a new certificate
  1. Go

    Navigateto to:the Apple Push Certificates Portal: https://identity.apple.com/pushcert/.

  2. and log
  3. Sign in with an Apple ID.

    This Apple ID will(⚠️ own the certificate and is required for every renewal.  Dodo not use a personal Apple ID,ID to avoiduse complicationsa if that person where to leave thegeneric business or institution.

    institution Apple ID for long-term use).
  4. Click 'Create'Create.

  5. Accept

    'Accept' Apple'Apple’'Terms of Use'Use.

  6. Click Choose File and upload the signed FileWave CSR.
  7. Click Upload – Apple will confirm the request.
  8. Download the issued APNS certificate (.pem or .cer).

image.png

Renewing aan Certificateexisting certificate
  1. NavigateGo to:to https://identity.apple.com/pushcert/ and log in with the same Apple ID usedthat to initially createowns the certificate. 
  2. ConfirmLocate the Certificatecertificate to renew.
  3. Select 'Renew'.

Torenew, confirm the certificate, compare the Subject DN (Topic) and current certificate.

Clicking the 'i' button will showmatches the certificate details, including the Topic:

image.png

Ensure this matches with the 'Current Certificate' in FileWave AdminAdmin. >

  • Click PreferencesRenew.
  • >
  • Upload Mobilethe >signed AppleFileWave PushCSR.
  • Notification
  • Download Certificate:

    the

    image.png

    renewed APNS certificate (.pem or .cer).
  • If the 'Topics' do not match do not continue.  If the correct certificate is not in the list on Apple's website, this is the wrong Apple ID.  If this guide was followed in creating the original certificate, the previously used Apple ID will be viewable from the certificate "Private Key".

    Click

    To 'Chooseconfirm File'the certificate, compare the Subject DN (Topic) and browsecurrent tocertificate.

    Clicking the signed'i' FileWavebutton CSRwill fromshow the previouscertificate section.

    details,

    Clickincluding 'Upload'the and Apple will return a 'Confirmation'.Topic:

    image.pngimage.png

    ClickEnsure 'Download'this andmatches savewith the ".pem"'Current file.Certificate' Againin considerFileWave whereAdmin this> certificatePreferences is> stored.Mobile > Apple Push Notification Certificate:

    image.pngimage.png

    CreateStep a4: ".p12"Import fromand process the Signedcertificate CSRin XCA

    1. First,

      Open Keychain Access app, select login from the Keychains list and then choose 'My Certificates' tab.

      Keychain
      If imported into the System Keychain, the Private Key will not be accessible.download IfXCA 'Allfor Items'macOS: tab is

    2. Install

      Dragand thestart downloaded PEM file into the Keychain main window.

      XCA.
    3. Go

      Locateto thePrivate importedKeys certificate. It will begin with "APSP:".

    4. Click the disclosure triangleImport and select the expandedpreviously saved .key file from Step 1.

    5. Go to Certificates → Import and load the APNS certificate you downloaded from Apple (.cer/.pem).
    6. Link the certificate with the corresponding private key.

      key

      Commonin NameXCA.

    7. and Topic
      The name of
    8. Export the Private Key will show the value defined as the "Common Name" from the creation of the CSR.  Where recommendation was followed, this should list the Apple ID and Server name.  Additionally the name of the Certificate is the same as the Topic.


      image.png

    9. From the 'File' menu, choose ž'Export Items...'.

      image.png

    10. Exportcertificate as a PKCS #12 (.pfx) file – important: without a password.

    11. After export, rename the .pfx file to .p12 (FileWave requires the .p12 file.extension).
    12. Again
    consider

    Step where5: thisImport the certificate isinto stored.

    FileWave

    1. Open the FileWave Admin.
    2. Go

      Clickto Save.

      Preferences 

      → Mobile.
      image.pngimage.png

    3. LeaveImport the password.p12 blank.

      file

      you exported from XCA by browsing to the file and then picking to Upload.
      image.pngimage.png


    4. Save

      Enterthe yoursettings localby adminclicking account, when prompted, allowing KeychainOK to export.

      close the preferences dialog and verify that devices are communicating.

    image.png

    UploadingStep 6: Verification

    • Test whether new or existing MDM clients correctly connect to the CertificateAPNS into FileWave
        service.
      1. LaunchCheck the logs in FileWave Admin and login to theensure FileWavethere server.

        are no certificate errors.
      2. Open the FileWave Admin žPreferences.

         

        image.png

      3. Select the 'Mobile' tab.

      4. Click 'Browse' and navigate to the saved ".p12" APNs certificate.

      5. Select the exported ".p12" certificate.

      6. Click 'Upload APN Certificate/Key Pair'.

      7. The topic should match the previous topic.

        image.png

      8. That is it! FileWave may now manage Apple devices using Apple’s Push Notification Service.

    APNs certificates require yearly renewals.  Through FileWave Admin > Dashboard > Alert Settings, automated emails may configured.  Consider adding 'APN for MDM'.  Note this requires the Email preferences in Admin to be configured.

    Contact Apple for help

    If you forgot the email tied to your Apple Push Notiifcation you may reach out to Apple for assistant

    Contact Apple for help with APN