iOS Push Services certificate renewal

A Blog from Mike Irving, Software Developer

iOS Push Services certificate renewal
By Mike Irving - Published: 24/8/2020

If you have received an email, like the one below, entitled "Action Needed: Apple Push Services Certificate Expires in 30 Days", there is no need to panic.

The renewal procedure is actually quite straightforward, and there is no requirement to submit an updated iOS App to Apple.

The process can be thought of in these simple steps

Create a renewed certificate
Download it for future use in Xcode (or Visual Studio for Mac)
Upload it to your Push Services Provider (OneSignal in this case)

OK, to begin, login to the Apple Developer Program with your Developer Account Apple ID.

Go to Certificates, IDs & Profiles and verify the expiring certificate.

Then go to Identifiers and find the correct App ID / Identifier in question (the one for your Application itself), and click on it.

Scroll down to Push Notifications, click Edit, then 'Create Certificate' under 'Production SSL Certificate'.

Next we need a Certificate Signing Request (CSR) file from your Mac

If you already have one, great, you can skip over this section.

Create certificate signing request from Keychain Access in your Mac:

Launch Keychain Access (Find in Finder -> Utilities). Choose Keychain Access, Certificate Assistant, Request a Certificate from a Certificate Authority.
In the Certificate Assistant dialog, enter an email address in the User Email Address field.
In the Common Name field, enter a name for the key
Leave the CA Email Address field empty.
Choose “Saved to disk”, and click Continue and save it in computer.

Find your freshly created, or pre-existing, file.

Go back to Apple developer site and upload the CSR created in above step, then click Continue

Download the generated certificate on your Mac.

Double click on the downloaded cert to install it in Keychain in your Mac.

The certificate should now be visible to Xcode, Visual Studio for Mac (if using Xamarin), or any other development software you are using.

Open Keychain Access -> Certificates -> The new cert and its private key should be listed there.

Export the certificate for your push notification client: Right click on the cert in the Keychain Access-> select "Export Apple Push Certificate : " -> leave the password empty -> save as P12 file.

Find your downloaded p12 file.

The next part of the process is to upload the p12 file into your Push Notification Service Provider. In this case, we will use OneSignal, but the principles of what we are doing here will apply to any other provider.

Click Edit, and browse the P12 file saved earlier.

Remember to tick the "I'd like to replace my production .p12 certificate" box

Refresh your browser, and OneSignal should show the new expiry date.

Complete the process by sending a test message to a test device, and confirming it arrives.

Back over in your Apple Developer account, you can now Revoke the previous (expiring) certificate.

Go Back to Certificates, Identifiers and Profiles, identify the old certificate, and click Revoke.

You might want to pre-warn colleagues with linked Apple Accounts / Email Addresses that Apple will send them a scary sounding "Certificate Revoked" email, but that it is nothing to worry about :)