APNS certificate updating

So you’re having a good time being all snarky at your pet web developer because all of a sudden the APNS-dependent functionality isn’t working in your Big Secret Project, and paste into “their” bug the error listing you didn’t bother to actually read, and they pull you up short with

The warning is perfectly clear:

certificate expired

The certs you created to connect to Apple’s APNS network expired. We need new PEM files. Preferably ones with longer durations than 3 months.

Oh, snap. Right then, since we’ve completely forgotten what the process was to get that set up in the first place, let’s walk through the replacement together so it’s here next time we need to know, shall we?

1. Examine your push services certs in Keychain Access.


Yes. Yes, that certainly is expired, our unfairly maligned web developer is quite correct. So we need to fix that with a non-expired one and then get it out to their server.

2. Go log in as the agent for this project to the Provisioning Portal. Find the App ID of the project in question. Click “Configure.”


So there’s a button “Generate a new Production Push SSL Certificate before your current one expires”, but nothing of the sort for the indeed now expired development cert. OK, guess we revoke it and issue a new one then. So we do that, with the certificate signing request that we keep saved to disk for all the various times we need to sign things, and it generates and we’re prompted to download the new “aps_developer_identity.cer” without issue. And then back at the above it shows that the expiry date is now Sep 21, 2010. Apparently there is a hard three-month limit. Bah.

3. Double-click the downloaded cert; and Keychain Access loads it, the key is there, looks good. Delete the expired certificate, which is still there and named identically to the new one, it’s not quite smart enough to keep things in order enough to remove obsolete ones apparently.

And from here on it should be the same as installing one’s cert from scratch on the server as discussed in links elsewhere, but let’s set them out again here in case those references disappear on us:

4. Right-click the new cert, export it as “apns-dev-cert.p12”; and the new cert’s private key, export it as “apns-dev-key.p12”.

5. Convert to PEM files in the Terminal with

openssl pkcs12 -clcerts -nokeys -out apns-dev-cert.pem -in apns-dev-cert.p12

openssl pkcs12 -nocerts -out apns-dev-key.pem -in apns-dev-key.p12

6. Remove passphrase (your server won’t like it, we found out setting this up the first time) with

openssl rsa -in apns-dev-key.pem -out apns-dev-key-noenc.pem

7. Combine them with

cat apns-dev-cert.pem apns-dev-key-noenc.pem > apns-dev.pem

8. With your newfound humility request that your web developer take that combined file and replace their current expired one, and …

wait with crossed fingers and bated breath

… everything starts magically working again. Ex-cellent.

So the lesson here, Dear Readers, is watch those APNS cert expiry dates, as apparently you can’t count on getting reminded of their expiry.

That, and don’t call out your friendly web developer unless you’re sure that the problem is actually not completely your fault. We’ll have to work on that one, yes.


Command Line Tool For Automatically Generating .Pem Files For iOS Push Notifications

Alex | June 23, 2010
  • pposthoorn January 3, 2012 at 3:58 pm
    Thank you very much for this clear (and fun) walkthroug! Client was complaining that push services stopped working. First search on google brought me to this article and it was fixed in no time :D

Leave a Reply