How to Renew APNs (Apple Push Notifications) Certificate?
This document explains the steps involved to renew the APNs certificate. Always use a corporate Apple ID than a personal one. If the APNs certificate has expired, then you can no longer manage the Apple devices. In this case, you have to renew the expired APNs certificate at the earliest to continue managing them. It is recommended that the Apple Push Certificate (APNs) be renewed and uploaded in the Mobile Device Manager Plus server at least a month before it gets expired, to ensure all devices get the renewed APNs certificate. If the APNs certificate renewal is done a few days before the APNs expiration, the devices will receive the renewed APNs once they come in contact with the server.
NOTE: If the APNs is revoked, you only have to renew it to continue managing devices. The devices need not be re-enrolled.
- (Not applicable for MDM MSP Cloud)
- Ensure that https://creator.zoho.com is allowlisted on the organization's firewall and any other third-party filter.
- If you're using MDM within Endpoint Central, you can configure and manage APNs certificate by navigating to Enrollment in the left pane and selecting APNs Certificate under Apple.
There are 3 stages in renewing an APNs certificate, they are
Checking APNs certificate expiry date
To check the expiry date of the current APNs certificate, follow the steps mentioned below:
- On the MDM server, click the Enrollment tab and select APNs Certificate from the Apple dropdown in the left pane.
- The APNs certificate details are listed here.
- You can check the APNs certificate creation date and time as well as the date and time of expiry.
- Moreover, the renew APNs certificate button appears on the MDM console 3 months before expiry.
- Apple also mails the registered email ID with a reminder, "Your apple push services certificate will no longer be valid in 30 days", before expiry.
It is recommended to carry out the APNs certificate renewal process before the certificate expires to facilitate seamless management of enrolled devices.
Create and sign a CSR
To create and get the CSR signed from Zoho Corporation, follow the steps mentioned below:
- On the MDM server, click the Enrollment tab and select APNs Certificate from the Apple dropdown in the left pane.
- Click the Renew APNs Certificate button, to invoke the renewal process. Renew APNs button appears 3 months before your APNs expires.
- Download the Vendor Signed CSR once the signing process is complete.
Renew and Upload APNs
Upload the Signed CSR to the Apple Push Certificates (APNs) Portal as mentioned below:
- Sign into the Apple Push Certificate Portal to renew the APNs. It is recommended to use the browsers Safari,Google Chrome, or Firefox, while executing the below-mentioned steps.
- Sign in using the corporate Apple ID and password, you used the previous time while creating the APNs certificate.
- Once logged in, choose Renew Certificate by selecting the certificate based on the expiry date and UID as explained below. Ensure the UID mentioned here is the same as the previous APNs certificate which is about to expire. You can verify this in the Mobile Device Manager Plus MSP server.
- After reading terms and conditions Click Accept.
- Upload the signed certificate you received from Zoho Corporation.
- A new certificate for managing the Apple devices appears in the portal.
- Download the new Apple signed certificate (MDM_ZOHO_Corporation_Certificate.pem).
- On the MDM server, click Next to upload the APNs certificate you have downloaded from the Apple Push Notification portal.
- Click Upload to complete the renewal process.
Ensure you use the same Apple ID which you have used while creating the APNs for the first time, else you have to re-enroll all the managed mobile devices. If you have generated more than one APNs certificate using the same Apple ID, then you can refer to the image below to identify the appropriate APNs certificate.
You have successfully renewed and uploaded the APNs certificate, so you can continue managing your Apple devices.
Migration of APNs certificate from one Apple ID to another
In case the login credentials associated with your APNs certificate cannot be remembered or, if you prefer to migrate the APNs certificate from one Apple ID to another, you can raise a ticket with Apple Developer Program Support. You can contact Apple Developer Program Support by phone or web with the Certificate Name, UID, Serial Number, Expiry Date, Old Apple ID (optional) which is readily available on the MDM server.
Changing the E-mail address used for APNs
APNs created using employee e-mail address instead of an organization-based e-mail address, APNs cannot be renewed in the following scenarios:
- If the password is forgotten by the employee
- If the employee has left the organization, and the associated e-mail address has been terminated
Thus, it is ideal in having APNs created using organization-based e-mail address. To change the e-mail address, follow the steps mentioned below:
- Log into the Apple portal with the Apple ID used for creating APNs. Click on Edit under the Accounts section.
- Click on Change E-mail Address under the Apple ID section. Specify the new E-mail address. This e-mail shouldn't be associated with any other Apple ID.
- Click on Continue and follow the on-screen instructions to change the e-mail.
- Go to the MDM console, click on the Enrollment tab and select APNs certificate, under the Apple section.
- After clicking the Renew APNs button, you'll be shown the Apple ID which was used to create the APNs.
- Click on the link Change my Apple ID, which is present adjacent to the Apple ID. Follow the on-screen instructions and update the Apple ID.