Is there anyone out there who knows if it's possible to use 1 production SSL push notification certificate for multiple apps?
No, you need one per app-id.
No, Each App ID is required to have its own client SSL certificate.
For more information Check Apple Guide
The client SSL certificate that is generated is a universal
certificate that allows your app to connect to both the development
and production environments.
Not use as a wildcard AppId because...
You can create only one
explicit App ID that matches your bundle ID. Therefore, if Xcode
created an explicit App ID for you—for example, when you added another
capability that requires an explicit App ID—you should use it;
otherwise, you create an explicit App ID that matches your bundle ID.
You then generate and download a corresponding client SSL
certificate—this step fully enables push notifications—and refresh
provisioning profiles in Xcode. Later, you install the client SSL
certificate and key on your server.
Related
My application implements SSLPining with leaf certificate. And it's about to expire.
I researched and got the answer:
Some time before the certificate expires, release a new version of your app with a replacement cert in the pin list, as well as the original cert
How can i add both replacement cert and original cert to my project?
I just need to add a new certificate with any name and Will Alamofire go through all the certificate files I declare and if any match will it allow the connection?
Thanks
Yes, that will work. Alamofire's PinnedCertificatesTrustEvaluator gathers all certificates from the main bundle by default and checks to see whether the certificate received is within that set. So as long as both certificates are within that set, either of them should work.
I am trying to implement APNS for my App. I created APP id and was able to generate an SSL certificate for my App (the type is shown to be APNs development IOS). However, when I try to generate a provisioning profile, following the screen where I choose the AppID of my app, I do not see the SSL certificate I generate for this app. In the certificates list, I only see certificates of type 'IOS development' that were created previously.
The APNs certificate that you created is used by what the documentation refers to as the "APNs Provider" -- In the simplest case, this is your own server that is responsible for keeping track of APNs device tokens and generating APNs Push Payloads that instruct the APNs what message, sound, or badge to deliver to a specific device token. Just as the arrangement of executable code and other assets in your app is secured by a cryptographic signature (via your iPhone Development or iPhone Distribution certificate and associated provisioning profile), communications between your server and the Apple APNs gateway must also be secured to prevent a rogue 3rd party from masquerading as your server and sending spammy push messages to your users. This APNs SSL certificate is used to secure and authenticate your server's connection to the APNs, authorizing it to deliver push payloads to your app on user's devices -- Keep those certificates secure! If anyone gains access to the private key of the SSL certificate then they could send spammy pushes to your app!
Your APNs Provider will need access to the private key for this SSL certificate. Without it, Apple's APNs gateways will reject any and all attempts to connect. Your provider, does not need to have your provisioning profiles -- this APNs certificate is entirely separate than the mechanisms used to code sign an iOS app, that is, the server only needs the server certificate, while the app needs the code signing certificate + provisioning profile. These two items do not intersect and do not exchange data with each other.
It is true that your provisioning profiles (Development, Ad-Hoc Distribution, and App Store Distribution) will need to be reissued, but that is specifically to add the aps-environment entitlement to each of these profiles allowing apps signed with these profiles to connect with the APNs environments. To be absolutely clear, reissuing these profiles does not and should not add your APNs SSL certificate anywhere in the profile...your application code doesn't need to leverage this certificate in any way and would lead to a slight increase in your application's size.
You can check if your current provisioning profiles include the aps-environment entitlement by opening Terminal, copy and pasting the following, taking care to update the path to your specific .mobileprovision:
/usr/libexec/PlistBuddy -c 'Print :Entitlements' /dev/stdin <<< $(security cms -D -i /path/to/your/application.mobileprovision)
This command does two things:
Uses the security tool in OS X to extract the plist content from the .mobileprovision file identified after the -i argument and passes all of this content into...
PlistBuddy printing the entire contents of the Entitlements key to screen.
The output for a basic Development profile that has not been enabled for Push Notifications will resemble the following:
Dict {
get-task-allow = true
com.apple.developer.team-identifier = ABC1DEF2G3
application-identifier = XYZW1ABC2D.com.mycompany.niftyapp
keychain-access-groups = Array {
XYZW1ABC2D.*
}
}
While the output for a basic Ad-Hoc or App Store Distribution that has not been enabled for Push Notifications will resemble:
Dict {
get-task-allow = false
com.apple.developer.team-identifier = ABC1DEF2G3
application-identifier = XYZW1ABC2D.com.mycompany.niftyapp
keychain-access-groups = Array {
XYZW1ABC2D.*
}
}
Now that you have the APNs certificates issued for your app's AppId, you do need to step through and reissue your Development, Ad-Hoc, and Distribution provisioning profiles to add the aps-environment entitlement to each of your profiles.
Navigate to Certificates, Identifiers, and Profiles tool and find one of the profiles associated with this application.
Click the Edit button and walk through each step of the wizard -- you don't have to make any changes to the previously defined settings, you simply need the current profile reissued!
Click the Download button at the end of the wizard.
Drag and drop the updated profile on the Xcode icon on your Dock to install.
If you run that same set of Terminal commands again on these new files (remember to update the path to the new .mobileprovision if necessary!) you'll now see that aps-environment key appear in your App's entitlements:
Dict {
get-task-allow = true
aps-environment = development
com.apple.developer.team-identifier = ABC1DEF2G3
application-identifier = XYZW1ABC2D.com.mycompany.niftyapp
keychain-access-groups = Array {
XYZW1ABC2D.*
}
}
There are two values for this new key:
aps-environment = development -- This will appear only on Development Provisioning Profiles and allows apps signed using iPhone Developer certificates and may only connect with the Sandbox APNs Environment
aps-environment = production -- This will appear only on Distribution Provisioning Profiles (Ad-Hoc or App Store), allowing apps signed using iPhone Distribution certificates to connect with the Production APNs Environment
Depending on which certificate you use to sign a build determines which APNs gateway your app will connect to and fetch a Push token as well as which gateway your app will receive push messages from. One of the most common errors developers make with respect to push notifications is mismatching how the app is signed with how their server is connecting to Apple's APNs gateways:
Apps signed with Development certificates can only successfully negotiate APNs and receive Push Messages when the Provider is also connecting with the Development APNs SSL certificate to the Sandbox APNs gateway and using a sandbox device token in the payloads it generates.
Apps signed with Distribution certificates can only successfully negotiate APNs and receive Push Messages when the Provider is also connecting with the Production APNs SSL certificate to the Production APNs gateway and using a production device token in the payloads it generates.
Give it a shot and let us know how things go!
I am working on an app update and am building this new version completely from scratch. Am now in the process of setting up push notifications in the app.I can see that the app is already configured for push notifications but expiry for production push SSL certificate is Feb, 2012
Does this means that the current version of app on the store wouldn't have working push notifications since the certificate is expired?
And what should be my next step if I want push notifications to work in the new vsersion. Revoke the old one and create new or shall I select Configure option on "Generate a new Production Push SSL certificate before your current one expires"
My only concern is that if the existing app has working push notifications they shouldn't get affected.
Thanks in advance.
This certificate is used on the server side, so if the certificate is expired, then server can't send push messages to Apple servers (probably the server receives an error while trying to connect to Apple servers).
Update:
Answer to the second part of your question, generate new certificate and install it on your server. Try to send test message and be sure that it works. Once you are done with testing revoke the old certificate and remove it from server to avoid confusion in the future.
I am trying to create certificates that will allow me to send push notifications on my device and I am total lost. I have used certificates for BETA and distribution but adding push notification is pain.
When I do create certificates for BETA testing, I do the following steps.
From keychain, Request a certificate from a certificate authority.
In Apple Provisioning Portal under Certificates, create a certificate uploading file keychain file.
Assume APP ID is created perfectly and devices are ready.
In Apple Provisioning Portal under Provisioning, I create a new profile and download mobile provisioning file to add to the XCode organizer.
That above steps works and I can BETA test. Now in order to enable push notification, I have setup server which is tested with push notification and is 100% working. When I configure for push notification, I need to upload keychain file. Is that the same file I uploaded under Certificates? There is a file in return which I double click and it gets added to the keychain, am I doing it right?
If I understand your question correctly, the answer is no, it should not be the same file. I'll explain the entire process in detail and hopefully that will clarify the situation (and what you need to do next).
When you enable push notifications, you need to do four things:
Create a private/public key pair.
Create a certificate signing request (CSR), signed with your private key.
Submit the CSR to Apple and download a signed certificate.
Create a file containing your certificate and private key, for validating each APN request.
Some points:
I recommend you use different keys for development (sandbox) and production APN. You can re-use the keys if you are sending notifications to different apps, but it is safer if you don't re-use keys between development and production.
The file you "submit" to the provisioning portal is the certificate request. You will have one CSR file for each certificate. You will create a two CSR for each app (bundleID); one for development, one for production. The CSR created with your development key should be submitted for development and the CSR created with your production key should be submitted for production.
Note: Keep the CSR files. You don't have to have them, but it will save you some time when you need to re-send the certificate requests.
After submitting your CSRs, you will be able to download the actual certificates. They aren't ready immediately, so give Apple a minute or so and then refresh your browser. The difference between the CSR and a certificate is important: the certificate is signed by Apple; it validates your ability to send push notifications. Download the certificates and load them into your keychain (double clicking is fine).
Note: the certificate is useless without your private key; so you will need to safely export your private key if you switch computers.
Any computer sending an APN request will need both the private key and the certificate. You can export them as a single .p12 file using Keychain Access. (I name mine MyAppCertKey.p12 to indicate that the file contains both the certificate and the key.)
Last, I wrote up a detailed explanation on testing / verifying communication with Apple's servers (from the terminal). It's a little complicated since you need to have some root certificates set up for openssl to validate against; however, it will tell you if you are communicating correctly with the servers, without requiring any work on the receiving app itself.
Couldn't able to connect to APNS Sandbox server
Hope that helps.
In the App ID section of the Program Portal, locate the App ID you wish to use with the Apple Push Notification service. Only App IDs with a specific bundle ID can be used with the APNs. You cannot use a “wild-card” application ID. You must see “Available” under the Apple Push Notification service column to register this App ID and configure a certificate for this App ID.
Click the ‘Configure’ link next to your desired App ID.
In the Configure App ID page, check the Enable Push Notification Services box and click the Configure button. Clicking this button launches the APNs Assistant, which guides you through the next series of steps that create your App ID specific Client SSL certificate.
Download the Client SSL certificate file to your download location. Navigate to that location and double-click the certificate file (which has an extension of cer) to install it in your keychain.
When you are finished, click Done in the APNS Assistant.
Double-clicking the file launches Keychain Access. Make sure you install the certificate in your login keychain on the computer you are using for provider development. The APNs SSL certificate should be installed on your notification server.
When you finish these steps you are returned to the Configure App ID page of the iPhone Dev Center portal. The certificate should be badged with a green circle and the label “Enabled”.
To complete the APNs set-up process, you will need to create a new provisioning profile containing your APNs-enabled App ID.
IS it posssible to do theses steps through code.
No, this completes only the certificate part. you need to implement code in your app and also you need a server(SSL supported).what you have to do after generating certificate is register your device for remote notification.you'll find that how to do this in Remote notification guide.then you'll get device token send the device token to your server and your server will forward the device token+message(you want to show on device) to APNS.APNS will send the notification to the device.also you need to show certificate when sending device token from your server to APNs.read the whole Remote Notifications Guide carefully.