APNs certificates

Important:

Apple support for the APNs legacy binary protocol ends as of March 31, 2021. Apple recommends that you use the HTTP/2-based APNs provider API instead. As of release 10.13.0, XenMobile Server supports the HTTP/2-based API. For more information, see the news update, “Apple Push Notification Service Update” inhttps://developer.apple.com/. For help with checking connectivity to APNs, seeConnectivity checks.

To enroll and manage iOS and macOS devices in XenMobile, you set up an Apple Push Notification service (APNs) certificate from Apple.

Workflow summary:

• Step 1:Create a Certificate Signing Request(CSR) through any of these methods:

  • Create a CSR by using Keychain Access on macOS(recommended by Citrix)
  • Create a CSR by using Microsoft IIS
  • Create a CSR by using OpenSSL

• Step 2:Sign the CSRin XenMobile Tools

• Step 3:Submit the signed CSR to Apple to obtain the APNs certificate

• Step 4:Using the same computer used for Step 1,Complete the CSR and export a PKCS #12 file:

  • Create a PKCS #12 file by using Keychain Access on macOS
  • Create a PKCS #12 file by using Microsoft IIS
  • Create a PKCS #12 file by using OpenSSL

• Step 5:Import an APNs certificate into XenMobile

• Step 6:Renew an APNs certificate

Create a Certificate Signing Request

We recommend that you create a CSR by using Keychain Access on macOS. You can also create a CSR by using Microsoft IIS or OpenSSL.

Important:

• For the Apple ID used to create the certificate:
  • The Apple ID must be a corporate ID and not a personal ID.
  • Record the Apple ID that you use to create the certificate.
  • To renew your certificate, use the same organization name and Apple ID. Using a different Apple ID to renew the certificate require device reenrollment.

• If you accidentally or intentionally revoke the certificate, you lose the ability to manage your devices.

• If you used the iOS Developer Enterprise Program to create a mobile device manager push certificate: Be sure to handle any actions for the migrated certificates in the Apple Push Certificates Portal.

Create a CSR by using Keychain Access on macOS

1. On a computer running macOS, underApplications > Utilities, start the Keychain Access app.
2. Open theKeychain Accessmenu and then clickCertificate Assistant > Request a Certificate From a Certificate Authority.
3. The Certificate Assistant prompts you to enter the following information:
   • Email Address:Email address of the individual or role account who is responsible for managing the certificate.
   • Common Name:Common name of the individual or a role account who is responsible for managing the certificate.
   • CA Email Address:Email address of the Certificate Authority.
4. Select theSaved to diskandLet me specify key pair information选项,然后单击Continue.
5. Enter a name for the CSR file, save the file on your computer, and then clickSave.
6. Specify the key pair information: Select theKey Sizeof 2048 bits and theRSA algorithmand then clickContinue. The CSR file is ready for you to upload as part of the APNs certificate process.
7. ClickDonewhen the Certificate Assistant completes the CSR process.
8. To continue,Sign the CSR.

Create a CSR by using Microsoft IIS

The first step for generating an APNs certificate request is to create a Certificate Signing Request (CSR). For Windows, generate a CSR by using Microsoft IIS.

1. Open Microsoft IIS.
2. Double-click the Server Certificates icon for IIS.
3. In theServer Certificateswindow, clickCreate Certificate Request.
4. Type the appropriate Distinguished Name (DN) information and then clickNext.
5. SelectMicrosoft RSA SChannel Cryptographic Providerfor the Cryptographic Service Provider and2048for bit length and then clickNext.
6. Enter a file name and specify a location to save the CSR and then clickFinish.
7. To continue,Sign the CSR.

Create a CSR by using OpenSSL

如果你不能使用macOS设备或Microsoft IIS to generate a CSR, use OpenSSL. You can download and install OpenSSL from the OpenSSL website.

1. 在电脑上where you install OpenSSL, execute the following command from a command prompt or shell.

   openssl req -new -keyout Customer.key.pem –out CompanyAPNScertificate.csr -newkey rsa:2048

2. The following message for certificate naming information appears. Enter the information as requested.

   You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:CA Locality Name (eg, city) []:RWC Organization Name (eg, company) [Internet Widgits Pty Ltd]:Customer Organizational Unit Name (eg, section) [:Marketing Common Name (eg, YOUR name) []:John Doe Email Address []:john.doe@customer.com 

3. At the next message, enter a password for the CSR private key.

   Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: 

4. To continue, sign the CSR as described in the next section.

Sign the CSR

To use a certificate with XenMobile, submit it to Citrix for signing. Citrix signs the CSR with its mobile device management signing certificate and returns the signed file in a.plistformat.

1. In your browser, go to theEndpoint Management Toolswebsite and then clickRequest push notification certificate signature.

   

2. On theCreating a new certificate page, clickUpload the CSR.

   

3. Browse to and select the certificate.

   The certificate must be in .pem/txt format.

4. On theEndpoint Management APNs CSR Signingpage, clickSign. The CSR is signed and automatically saved to your configured download folder.

5. To continue, submit the signed CSR as described in the next section.

Submit the signed CSR to Apple to obtain the APNs certificate

After receiving your signed Certificate Signing Request (CSR) from Citrix, submit the CSR to Apple to obtain the APNs certificate needed to import into XenMobile.

Note:

Some users have reported problems logging into the Apple Push Portal. As an alternative, log on to theApple Developer Portaland then follow these steps:

1. In a browser, go to theApple Push Certificates Portal.

2. ClickCreate a Certificate.

3. The first time that you create a certificate with Apple: Select theI have read and agree to these terms and conditionscheck box, and then clickAccept.

4. ClickChoose File, browse to the signed CSR on your computer, and then clickUpload. A confirmation message indicates that the upload succeeds.

5. ClickDownloadto retrieve the .pem certificate.

6. To continue, complete the CSR and export a PKCS #12 file as described in the next section.

Complete the CSR and export a PKCS #12 file

After you receive the APNs certificate from Apple, return to Keychain Access, Microsoft IIS, or OpenSSL to export the certificate into a PCKS #12 file.

A PKCS #12 file contains the APNS certificate file and your private key. PFX files usually have the extension .pfx or .p12. You can use .pfx and .p12 files interchangeably.

Important:

Citrix recommends you save or export the personal and public keys from the local system. You need the keys to access the APNs certificates for reuse. Without the same keys, your certificate is invalid and you must repeat the entire CSR and APNs process.

Create a PKCS #12 file by using Keychain Access on macOS

Important:

Use the same macOS device for this task that you used to generate the CSR.

1. On the device, locate the Production identity (.pem) certificate that received from Apple.

2. Start the Keychain Access application and navigate to theLogin > My Certificates选项卡。然后拖拽Product identity certificate onto the open window.

3. Click the certificate and expand the left arrow to verify that the certificate includes an associated private key.

4. To begin exporting the certificate into a PCKS #12 (.pfx) certificate, choose the certificate and private key, right-click, and selectExport 2 items.

5. Give the certificate file a unique name for use with XenMobile. Don’t include space characters in the name. Then, choose a folder location for the saved certificate, select the .pfx file format, and clickSave.

6. Enter a password for exporting the certificate. Citrix recommends that you use a unique, strong password. Also, be sure to keep the certificate and password safe for later use and reference.

7. The Keychain Access app prompts you for the login password or selected keychain. Type the password, and then clickOK. The saved certificate is now ready for use with the XenMobile server.

8. To continue, seeImport an APNs certificate into XenMobile.

Create a PKCS #12 file by using Microsoft IIS

Important:

Use the same IIS server for this task that you used to generate the CSR.

1. Open Microsoft IIS.

2. Click theServer Certificatesicon.

3. In theServer Certificateswindow, clickComplete Certificate Request.

4. Browse to the Certificate.pem file from Apple. Then, type a friendly name or the certificate name and clickOK. Don’t include space characters in the name.

5. Select the certificate that you identified in Step 4, and then clickExport.

6. Specify a location and file name for the .pfx certificate and a password, and then clickOK.

   You need the password for the certificate to import it into XenMobile.

7. Copy the .pfx certificate to the server on which you plan to install XenMobile.

8. To continue, seeImport an APNs certificate into XenMobile.

Create a PKCS #12 file by using OpenSSL

If you use OpenSSL to create a CSR, you can also use OpenSSL to create a .pfx APNs certificate.

1. At a command prompt or shell, execute the following command.Customer.privatekey.pemis the private key from your CSR.APNs_Certificate.pemis the certificate that you just received from Apple.

   openssl pkcs12 -export -in APNs_Certificate.pem -inkey Customer.privatekey.pem -out apns_identity.pfx

2. Enter a password for the .pfx certificate file. Remember this password because you use the password again when you upload the certificate to XenMobile.

3. Note the location for the .pfx certificate file. Then, copy the file to the XenMobile server so you can use the console to upload the file.

4. To continue, import an APNs certificate into XenMobile as described in the next section.

Import an APNs certificate into XenMobile

After you receive the new APNs certificate: Import the APNs certificate into XenMobile to either add the certificate for the first time or to replace a certificate.

1. In the XenMobile console, go toSettings > Certificates.

2. ClickImport > Keystore.

3. FromUse as, chooseAPNs.

4. Browse to the .pfx or .p12 file on your computer.

5. Enter a password, and then clickImport.

For more information about certificates in XenMobile, seeCertificates and Authentication.

Renew an APNs certificate

Important:

If you use a different Apple ID for the renewal process, you must reenroll user devices.

To renew an APNs certificate, perform the steps to create a certificate, then go to theApple Push Certificates Portal. Use that portal to upload the new certificate. After logging on, your existing certificate or a certificate imported from your previous Apple Developers account appears.

在证书的几率tal, the only difference when renewing the certificate is that you clickRenew. You must have a developer account with the Certificates Portal to access the site. To renew your certificate, use the same organization name and Apple ID.

To determine when your APNs certificate expires, in the XenMobile console, go toSettings > Certificates. If the certificate expires, do not revoke it.

1. Generate a CSR, using Microsoft IIS, Keychain Access (macOS), or OpenSSL. For more information on generating a CSR, seeCreate a Certificate Signing Request.

2. In your browser, go toEndpoint Management Tools. Then, clickRequest push notification certificate signature.

3. Click+ Upload the CSR.

4. In the dialog box, navigate to the CSR, clickOpen, and clickSign.

5. When you receive a.plistfile, save it.

6. In the step 3 title, clickApple Push Certificates Portaland sign on.

7. Select the certificate that you want to renew, and then clickRenew.

8. Upload the.plistfile. You receive a .pem file as the output. Save the .pem file.

9. Using that .pem file, complete the CSR (according to the method you used to create the CSR in Step 1).

10. Export the certificate as a .pfx file.

In the XenMobile console, import the .pfx file and complete the configuration as follows:

1. Go toSettings > Certificates > Import.
2. From theImport menu, chooseKeystore.
3. From theKeystore typemenu, choosePKCS #12.

4. FromUse as, chooseAPNs.

   

5. ForKeystore file, clickBrowseand navigate to the file.
6. InPassword, type the certificate password.
7. Type an optionalDescription.
8. ClickImport.

XenMobile redirects you back to theCertificatespage. TheName,Status,Valid from, andValid tofields update.