Apple Push Notification service server certificate update

[bmueller]

Apple just posted this story saying that the Certification Authority for APNs is changing. What do we need to do in order to make sure we have the correct certificate installed? I am running my push notification server on Heroku.

[neilmorton]

Hi @bmueller.

I saw this too. It seems Apple are changing the server certificates again.

As a result we need to ensure that our push notification server Trust Stores include the new server certificate to prevent push notification delivery issues when the change occurs next year.

My understanding is that this means ensuring that SHA-2 Root : USERTrust RSA Certification Authority is included in your Trust Store (/etc/ssl/certs/ on linux).

e.g. USERTrust_RSA_Certification_Authority.pem -> /usr/share/ca-certificates/mozilla/USERTrust_RSA_Certification_Authority.crt

It is possible to verify certificates using openssl s_client -connect gateway.push.apple.com:2195 -CApath /etc/ssl/certs/ although as Apple are not yet using the new cert, it should pass based on existing certificates Apple Worldwide Developer Relations (WWDR) Intermediate Certificate.

When I try to verify with openssl s_client -connect gateway.push.apple.com:2195 -CAfile /usr/share/ca-certificates/mozilla/USERTrust_RSA_Certification_Authority.crt I get a verification error Verification error: unable to get local issuer certificate which I believe is because Apple are still using the current certificate until next year.

In short, I believe that if you make sure that the SHA-2 Root : USERTrust RSA Certification Authority is in your Trust Store, you should be good.

Although I will be testing it on Sandbox on/after 20th January 2025 to make sure.

[bmueller]

Thanks for the detailed reply, @neilmorton ! If I'm using Heroku to host my apns2 server, would they be the ones in charge of changing the certificate on their end? I don't remember adding a certificate for this when I first set up the server, but I might be remembering wrong.

[neilmorton]

Hi @bmueller, I don't use Heroku, but if you open a console on there, can you run openssl version -d to get the configured certificate store (/usr/lib/ssl or /etc/ssl ?) and check the relevant directory to check the certificate is there?

I think you may be able to run something like openssl crl2pkcs7 -nocrl -certfile /etc/ssl/certs/ca-certificates.crt | openssl pkcs7 -print_certs -noout | grep "USERTrust RSA Certification Authority" which should return a couple of lines for subject/issuer if the certificate is installed?

[bmueller]

Thanks for getting back to me, @neilmorton - here's the response from the server after I ran that command:

subject=C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority
issuer=C = US, ST = New Jersey, L = Jersey City, O = The USERTRUST Network, CN = USERTrust RSA Certification Authority

So looks like it's safely installed, then? Appreciate all the help, I'm completely lost when it comes to server-side stuff. I'm more of a front-end person 😝

[neilmorton]

From what I understand, that looks like it should be good @bmueller.

I am going to check with the Sandbox on / after 20th January 2025 to make sure that is working with the new certificate. I will try remember to post an update here with what I see, so you can compare.

Keep up the great work!

[hector-espillco]

What happen if we read the certificate as file and attachment their value in the request, similar to that : cert, err := certificate.FromP12File("../cert.p12", "[password]"). Should we do any change?

[neilmorton]

If I understand you correctly, it sounds like you are referring to your certificate. This is referring to the Apple Certificate Authority. So you would still need to check that the new certificate is on the server.

[hector-espillco]

This part is confused for us. If we created a certificate (Apple Push Notification service SSL) from the developer apple page and copy the certificate as file (not installed that) in our server. Why should we update the Apple Certificate Authority? Considering that we read the certificate as file from an internal api which send the notitification.
Unless that apns2 is using the certification manager of the server internally.

[neilmorton]

As far as I know, the Apple Certificate Authority is needed to validate the chain?

[hector-espillco]

Ok. I understand. In any case, we should wait until on January 20. To start the test in sandbox because the current apple certificate authority is working without problems.

[keremoge]

From what I understand, that looks like it should be good @bmueller.

I am going to check with the Sandbox on / after 20th January 2025 to make sure that is working with the new certificate. I will try remember to post an update here with what I see, so you can compare.

Keep up the great work!

Hi, will the apns2 include the new SHA-2 Root (USERTrust RSA Certification Authority) automatically, or do we need to manually add it to the trust store? If manual addition is required, should the Readme file be updated accordingly?

[bmueller]

I am going to check with the Sandbox on / after 20th January 2025 to make sure that is working with the new certificate. I will try remember to post an update here with what I see, so you can compare.

@neilmorton did you get a chance to check that everything's working with the new certificate?

[neilmorton]

@bmueller I did test it, and can see on my server that the Sandbox is working with the new certificate, albeit it appears that connections to the sandbox seem to be on a round robin of some nature, where I see approximately every other connection using the new certificate, and the others using the old certificate.

My assumption is that Apple have either not updated all servers, or, they are doing it specifically as part of the migration. That said, I have found no useful documentation on this from Apple, but given I am seeing some sandbox connections occur using the new certificate, and when the connections use the new certificate, those connections succeed, I am content that the certificate is on my server, and is used when the connection to Apple requires it.

Given this works in Sandbox, I must assume that it will work for production too. (Production is still the old certificate right now).

My intention is to keep a keen eye on the server on 24th February (although who knows what time), and test again with the production connections, to make 100% sure.