APNs Certificate Creation & Renewal on Windows Computers

Description

TheApple followingMobile Device Management (MDM) requires an Apple Push Notification service (APNs) certificate; renewable yearly.

APNs Expiry
If APNs certificates are allowed to expire, all MDM communication will be lost, until renewed.

This guide providesexplains the stepshow to create andthe renewApple anPush APNsNotification Service (APNS) certificate for FileWave on Windows computers using Windows.OpenSSL. You will generate a Certificate Signing Request (CSR), have it signed by FileWave, upload it to Apple, and then convert it to a format FileWave can import.

APNs Topic
An APNs certificate has a unique topic, in the form of a hexadecimal string, and belongs to the Apple ID used to create the certificate. When renewing, the topic must match to ensure devices continue to communicate with the server. As such, not only must the same Apple ID be used when renewing an APNs certificate, but the current certificate must also be selected for renewal.

Step-By-Step Guide

APNsPrerequisites

Expiry
Apple

MobileAccess Deviceto Managementthe (MDM) requires an Apple Push NotificationCertificates servicePortal (APNs)https://identity.apple.com/pushcert/) certificate;A renewablevalid yearly.Apple IfBusiness/School APNsManager certificatesaccount areor allowedApple ID Access to expire,the allFileWave MDMCentral communicationconsole willOpenSSL befor lost,Windows untilinstalled: renewed.

Information

Requirements

https://slproweb.com/products/Win32OpenSSL.html

• Download the full version (not the light version, as it needs configuration files)

AnAdministrator appropriateAccess
All copycmd.exe ofcommands OpenSSL,in whichthis guide must be downloaded and installed.  

Note, that the light version does not include the necessary configuration files.

CMD Commands
The cmd.exe application should be openedrun with 'Run as an Administrator' for all commands in this KB.

Step-By-

Step Guide

1:

Generate CreatingCSR the (Certificate Signing Request (CSR) Sign the CSR Upload the signed FileWave CSR to Apple

Creating a Certificate Renewing a Certificate Create a ".p12" from the Signed CSR Uploading the Certificate into FileWave Related articles

Creating the Certificate Signing Request (CSR)

Request)

1. Open cmd.exe as an Administrator
2. Create a CSR.CSR Enterby entering the following command,command. whichThis will result increate two new files on the Desktop: request.csr and privateKey.key:key:

"C:\Program Files\OpenSSL-Win64\bin\openssl.exe" req -out "%USERPROFILE%\Desktop\request.csr" -new -newkey rsa:2048 -nodes -keyout "%USERPROFILE%\Desktop\privateKey.key" -config "C:\Program Files\OpenSSL-Win64\bin\cnf\openssl.cnf"

When prompted, enter values for the certificate fields. For Common Name, use a descriptive name like your Apple ID and server name (e.g., company@example.com - FileWave Server). This helps you identify the certificate later.

CertificateCommon Name and Private Key names are visible from openssl commands and the
The Common Name isyou usedenter towill setbe stored in the Private Key name. SupplyingUsing theyour Apple ID and Serverserver as the Common Name,name ensures theyou can identify which Apple ID usedcreated tothis generatecertificate in the certificatefuture—important willwhen be stored for future reference.renewing.

Step

2: Sign the CSR

 with FileWave

Before the CSR requestscan be uploaded to Apple, it must be signed beforeby uploading to Apple.  FileWave has a portal for this process, which requires an active FileWave account.FileWave.

1. Navigate to https://csr.filewave.com/list_csr and login.log in with your FileWave account
2. Upload the previouslyrequest.csr file you created CSR.in Step 1
3. 'Under Download signed CSR'CSR, your uploaded CSR should list this uploaded and now appear as signed CSR. 
4. Download this newly signed CSR,CSR ready– forthis is the file you will upload to Apple in the next section.step

AgainStore considerthe wherefile thisin certificatea issecure stored.location

Step

3: Upload the signed FileWave CSR to Apple

If you are renewing a certificate, skip to Renewing an existing certificate below.

Creating a Certificatenew certificate

1. NavigateGo to:to the Apple Push Certificates Portal: https://identity.apple.com/pushcert/

and logSign in with an Apple ID.

This Apple ID will(⚠️ own the certificate and is required for every renewal.  Dodo not use a personal Apple ID,ID to– avoiduse complicationsa if that person were to leave thegeneric business or institution.

institution Apple ID for long-term use) Click Create Accept Apple's Terms of Use Click Choose File and upload the signed FileWave CSR from Step 2 Click Upload – Apple will confirm the request Download the issued APNS certificate (.pem or .cer) and store it securely

Renewing an existing certificate

1. ClickGo 'Create'.

'Accept' Apple's 'Terms of Use'.

Renewing a Certificate

Navigate to:to https://identity.apple.com/pushcert/ and log in with the same Apple ID usedthat owns the certificate Locate the certificate to initiallyrenew createand click the certificate.info (i) Confirm the Certificatebutton to renew. Select 'Renew'.

To confirm the certificate, compare the Subject DN (Topic) and current certificate.

Clicking the 'i' button will show theview certificate details, including the Topic:

Topic

Ensure

Compare this matchesTopic with the 'Current Certificate' in FileWave Admin > Preferences > Mobile > Apple Push Notification Certificate:Certificate

Topic Mismatch
If the 'Topics'Topics do not matchmatch, do not continue. If the correct certificate is not in the list on Apple's website, thisyou isare using the wrong Apple ID. IfYou thiscan guideidentify wasthe followedcorrect inApple creatingID by reviewing the Private Key name from the original certificate,CSR the(which previouslyshould usedcontain your Apple IDID). will

beClick viewableRenew fromUpload the certificate "Private Key".

Click 'Choose File' and browse to the signed FileWave CSR from theStep previous2 section.

Click 'Upload'Upload and– Apple will returnconfirm athe 'Confirmation'request Download the renewed APNS certificate (.pem

or

Click 'Download'.cer)

and savestore theit ".pem"securely file. Again

Step consider4: where this certificate is stored.

Create a ".p12"p12 file from the Signed CSR

Certificate

1. Open cmd.exe as an Administrator
2. Create a ".p12".p12 Enteringfile by entering the following commandcommand. will createReplace the ".p12"file onpaths theif Desktop:necessary, and note that MDM_FileWave.pem is an example – use your actual downloaded certificate filename:

"C:\Program Files\OpenSSL-Win64\bin\openssl.exe" pkcs12 -export -in "%USERPROFILE%\Downloads\MDM_ FileWave (Europe) Gmbh_Certificate.MDM_FileWave.pem" -inkey "%USERPROFILE%\Desktop\privateKey.key" -out "%USERPROFILE%\Desktop\push_cert.p12" -name fw-apns

When prompted for the Export Password, leave it blank and press Enter

Path Issues
If the outputcommand errors inwhen creating the .p12 certificate file, replace the %USERPROFILE% locationvariable by pathing outwith the exactfull file locationpath instead.(e.g., C:\Users\YourUsername\).

4. LeaveVerify the 'Exportcertificate Password'was blank
   created correctly by running:

Certificate details may be checked:

Common Name and Topic
The name of the Private Key will show the value defined as the "Common Name" from the creation of the CSR.  Where recommendation was followed, this should list the Apple ID and Server name.  Additionally the name of the Certificate is the same as the Topic.

"C:\Program Files\OpenSSL-Win64\bin\openssl.exe" pkcs12 -info -in C:"%USERPROFILE%\Users\Administrator\Desktop\push_cert.p12p12"

This will display certificate details. Confirm that the Common Name matches the value you entered in Step 1, and that the Topic matches the value from Apple.

Note,Common below image has been edited to remove some detailsName and highlightTopic
The Private Key name will display the twoCommon keyName itemsyou ofentered interest.

when

Uploadingcreating the CertificateCSR. The certificate name is the same as the Topic. Both should match the certificate you created or renewed at Apple.

Step 5: Import the certificate into FileWave

1. Launch theFileWave Admin and log in to your FileWave Admin and login to the FileWave server.server
2. Open the FileWave Admin Preferences.Preferences

1. Select the 'Mobile'Mobile tab.tab
2. Click 'Browse'Browse and navigate to the savedpush_cert.p12 ".p12"file APNsyou certificate.created in Step 4
3. Select the exportedfile ".p12"and certficate.

click Click 'Upload APN Certificate/Key Pair'.Pair TheVerify that the Topic displayed matches the topic shouldfrom matchApple Click OK to save and close the previousPreferences topic.dialog

That is it! FileWave may now manage Apple devices using Apple’Apple's Push Notification Service.

Step 6: Verification

Test whether new or existing MDM clients correctly connect to the APNS service Check the logs in FileWave Admin to ensure there are no certificate errors

APNs certificates require yearly renewals. Through FileWave Admin > Dashboard > Alert Settings,Settings, you can configure automated emailsemail may configured.reminders. Consider addingenabling the 'APN for MDM'. Notealert. Note: this requires the Email preferences in Admin to be configured.

Contact Apple for help

If you forgot the email tied to your Apple Push NotiifcationNotification certificate, you may reach out to Apple for assistantassistance:

Contact Apple for help with APN

Related Articles

articles

APNs Certificate Creation & Renewal on macOS Computers (XCA) APNs Certificate Creation & Renewal on macOS Computers (Keychain) APNs Certificate Creation & Renewal on macOS Computers (XCA)