I am new to the APNS certificate thing. My question is a old developer lost our Private Key which we used for several in-house (ad-hoc) applications, and an application we use to push out applications and policies to users. I know that the only way to get the private key is to revoke the certificate and then generate a new one and re-sign all the internal applications and re-deploy with the new cert. My only concern is what happens to the application that uses APNS, does this still use the distribution certificate from our apple account, or will this not be affected when we revoke the distribution certificate?
The push certificate is not part of the provisioning profile. It has nothing to do with the client (the app), only your server's connection to APNS is affected.
Related
Let's say we have a server only running REST API services, only on HTTPS.
The only consumer of the APIs is a mobile app.
Do we need certificate from CA or a self signed certificate is enough?
You will need to use a CA certificate. Otherwise, each mobile client will have to manually set your certificate as trusted.
You can potentially embed the certificate as trusted in the mobile app itself (assuming you distribute the app), however it will be a problem when the time comes to renew the certificate, or rekey/replace the certificate for whatever issue.
Using a globally trusted certificate is the way to go.
You can :
Keep a self-signed certificate, but then you have to pin the certificate, and you can't revoke it if the private key is compromised.
Use a home made certificate authorities, but then you have to pin the certificate, and manage the revocation process (maintain an OCSP or CRL).
Use a certificate from a trusted CA, revocation will be checked for you, and if you want additional security, you still can pin the certificate.
In my opinion, the use of a trusted CA is more secure and more simple.
I am implementing a push notification system for one of my apps, so I am following this tutorial and generating a SSL certificate for that.
This app of mine involves also, some exchange of data between the app and the server and I would like it to be SSL protected and I was wondering of getting a SSL certificate from verisign or other company like that.
My question is: is this SSL certificate created for push a regular SSL certificate, so in that can use it also to establish a https connection to the server (and save a couple hundred dollars to order a third party certificate)? I don't know much about SSL certificates, but I hope it can be used for that...
This will be amazing!
Since each certificate is tied to a specific domain, I'm not sure how this would work. There is a concept of wildcard certificates, but I still think they have to be for the same domain.
In your case, it sounds like you will have the Apple push certificate, which validates the connection between your server and Apple's push notification server. The other certificate would be to validate/secure the connection between your iOS app and your server. Both of these are assigned a different domain (gateway.sandbox.push.apple.com vs. yourserver.com).
One option you do have depending on how your iOS app is structured is to use a self-signed certificate between your iOS app and your server. I'm guessing the end-user will not be seeing the certificate anyway. This might be a way to save you money before deciding on a third party certificate.
I've visited http://msdn.microsoft.com/en-us/library/ff369721.aspx and it is strongly implied that if you need to renew your code signing certificate, then you will need to re-sign your application and re-publish it. There is no change that happens to the certificate from the side of the CA that extends the lifetime of the certificate. Is this correct?
There is no change that happens to the certificate from the side of the CA that
extends the lifetime of the certificate. Is this correct?
No.
The validity dates are included in the certificate, so a certificate with a new expiration date is different than your currently expiring one.
Our production push ssl certificate is going to expire soon. If I generate a new certificate, will the other certificate remain valid until it is set to expire (at which point it must be replaced with the new certificate)?
Will both certificates work at the same time?
Just concerned about the timing. For our app, we host a push server and so do a few of our customers. I want to make sure creating a new certificate and updating our push server with the new certificate doesn't mess up our customers' push servers that will, for a time, still have the old certificate installed.
It seems like you don't invalidate the old certificate...
"You can generate a new certificate without revoking the old one, and
use them simultaneously to ensure they are working before revoking the
old one."
At least according to this post
We have deployed our application with push notifications using a development provision profile. The APNS SSL certificate expires from 3 months , so my client wants to extend it's valid period preferably by several years. Is it possible to get a 3rd Party SSL certificate to connect to APNS ?
No, it is not possible. You must generate the certificate through the iOS Provisioning Profile. By the way, you need to deploy your application using a production certificate and not a development certificate.