APNs Certificate Creation & Renewal on macOS Computers

Description

Apple Mobile Device Management (MDM) requires an Apple Push Notification service (APNs) certificate; renewable yearly.

APNs Expiry
If APNs certificates are allowed to expire, all MDM communication will be lost, until renewed.

The following guide provides the steps to create and renew an APNs certificate using macOS.  

APNs Topic
An APNs certificate has a unique topic, in the form of a hexadecimal string, and belongs to the Apple ID used to create the certificate.  When renewing, the topic must match to ensure devices continue to communicate with the server.  As such, not only must the same Apple ID be used when renewing an APNs certificate, but the current certificate must also be selected for renewal.

Step-By-Step Guide

Creating the Certificate Signing Request (CSR)

  1. Open Keychain Access, located in: Applications ž> Utilities >ž Keychain Access.app.

  2. Create a CSR. Keychain Access > žCertificate Assistant > žRequest a Certificate from a Certificate Authority... 

    image.png

  3. Enter the AppleID and Server name that you are going to be associating with this certificate in the "Common Name" field.


    Common Name
    Certificate Private Key names are visible in Keychain and the Common Name is used to set the Private Key name.  Supplying the Apple ID and Server as the Common Name, ensures the Apple ID used to generate the certificate will be stored for future reference.


    image.png

  4. Select the radio button "Saved to disk" and click Continue. 

  5. Save the CSR request, ready to upload to FileWave in the next section.

    Certificate Storage
    Consider creating a secure location to store the created certificates and sub divide them using the date or year, e.g folder named: 'MDM APNs certificates 2020'.

Sign the CSR

CSR requests must be signed before uploading to Apple.  FileWave has a portal for this process, which requires an active FileWave account.

  1. Navigate to https://csr.filewave.com/ and login.
  2. Upload the previously created CSR.
  3. 'Download signed CSR' should list this uploaded and now signed CSR. 
  4. Download this newly signed CSR, ready for upload to Apple in the next section.  Again consider where this certificate is stored.