Apple Push Notification service server certificate update

[bmueller]

Apple just posted this story saying that the Certification Authority for APNs is changing. What do we need to do in order to make sure we have the correct certificate installed? I am running my push notification server on Heroku.

[neilmorton]

Hi @bmueller.

I saw this too. It seems Apple are changing the server certificates again.

As a result we need to ensure that our push notification server Trust Stores include the new server certificate to prevent push notification delivery issues when the change occurs next year.

My understanding is that this means ensuring that SHA-2 Root : USERTrust RSA Certification Authority is included in your Trust Store (/etc/ssl/certs/ on linux).

e.g. USERTrust_RSA_Certification_Authority.pem -> /usr/share/ca-certificates/mozilla/USERTrust_RSA_Certification_Authority.crt

It is possible to verify certificates using openssl s_client -connect gateway.push.apple.com:2195 -CApath /etc/ssl/certs/ although as Apple are not yet using the new cert, it should pass based on existing certificates Apple Worldwide Developer Relations (WWDR) Intermediate Certificate.

When I try to verify with openssl s_client -connect gateway.push.apple.com:2195 -CAfile /usr/share/ca-certificates/mozilla/USERTrust_RSA_Certification_Authority.crt I get a verification error Verification error: unable to get local issuer certificate which I believe is because Apple are still using the current certificate until next year.

In short, I believe that if you make sure that the SHA-2 Root : USERTrust RSA Certification Authority is in your Trust Store, you should be good.

Although I will be testing it on Sandbox on/after 20th January 2025 to make sure.

[bmueller]

Thanks for the detailed reply, @neilmorton ! If I'm using Heroku to host my apns2 server, would they be the ones in charge of changing the certificate on their end? I don't remember adding a certificate for this when I first set up the server, but I might be remembering wrong.