Apple push certificate renewal

Certificates

Apple Developer Program membership is required to request, download, and use signing certificates issued by Apple.

Using certificates

In most cases, Xcode is the preferred method to request and install digital certificates. However, to request certificates for services such as Apple Pay, the Apple Push Notification service, Apple Wallet, and Mobile Device Management, you’ll need to request and download them from Certificates, Identifiers & Profiles in your developer account. Distribution certificates can be requested only by Account Holders and Admins.

For more information on how to use signing certificates, review Xcode Help.

Protecting your account and certificates

Your Apple ID, authentication credentials, and related account information and materials (such as Apple Certificates used for distribution or submission to the App Store) are sensitive assets that confirm your identity.

• Keep your Apple ID and authentication credentials secure and do not share them with anyone. To learn more, see Security and your Apple ID .
• Do not share Apple Certificates outside of your organization. To learn how to securely share them with trusted team members within your organization, see Maintain Signing Assets in Xcode Help.

Expired or revoked certificates

• Apple Push Notification Service Certificate
  You can no longer send push notifications to your app.
• Apple Pay Payment Processing Certificate
  Apple Pay transactions in your apps and on your websites will fail.
• Apple Pay Merchant Identity Certificate
  Apple Pay transactions on your websites will fail.
• Pass Type ID Certificate (Wallet)
  If your certificate expires, passes that are already installed on users’ devices will continue to function normally. However, you’ll no longer be able to sign new passes or send updates to existing passes. If your certificate is revoked, your passes will no longer function properly.
• iOS Distribution Certificate (App Store)
  If your Apple Developer Program membership is valid, your existing apps on the App Store won’t be affected. However, you’ll no longer be able to upload new apps or updates signed with the expired or revoked certificate to the App Store.
• iOS Distribution Certificate (in-house, internal-use apps)
  Users will no longer be able to run apps that have been signed with this certificate. You must distribute a new version of your app that is signed with a new certificate.
• Mac App Distribution Certificate and Mac Installer Distribution Certificate (Mac App Store)
  If your Apple Developer Program membership is valid, your existing apps on the Mac App Store won’t be affected. However, you’ll no longer be able to upload new apps or updates signed with the expired or revoked certificate to the Mac App Store.
• Developer ID Application Certificate (Mac applications)
  If your certificate expires, users can still download, install, and run versions of your Mac applications that were signed with this certificate. However, you’ll need a new certificate to sign updates and new applications. If your certificate is revoked, users will no longer be able to install applications that have been signed with this certificate. If your Mac application utilizes a Developer ID provisioning profile to take advantage of advanced capabilities such as CloudKit and push notifications, you must ensure your Developer ID provisioning profile is valid in order for installed versions of your application to run. Read more.
• Developer ID Installer Certificate (Mac applications)
  If your certificate expires, users can no longer launch installer packages for your Mac applications that were signed with this certificate. Previously installed apps will continue to run however new installations won’t be possible until you have re-signed your installer package with a valid Developer ID Installer certificate. If your certificate is revoked, users will no longer be able to install applications that have been signed with this certificate.
• Apple Worldwide Developer Relations Certification Intermediate Certificate
  The Apple Worldwide Developer Relations Certificate Authority issues certificates used by developers for signing third-party apps and Safari Extensions, and for using Apple Wallet and Apple Push Notification services.

The current Apple Worldwide Developer Relations Certification Intermediate Certificate is set to expire on February 7, 2023. The renewed certificate will be used to sign new iOS Distribution Certificates issued after September 2, 2020 for the Apple Developer Enterprise Program. Remaining certificates for all program types will be updated in the future and this page will be updated to reflect additional certificate changes. Read more.

Note: Apple can revoke digital certificates at any time at its sole discretion. For more information, read the Apple Developer Program License Agreement in your developer account.

Compromised certificates

If you suspect that your Pass Type ID certificate or Developer ID certificate and private key have been compromised, and would like to request revocation of the certificate, send an email to product-security@apple.com. You can continue to develop and distribute passes by requesting an additional certificate in your developer account.

I received an error message saying, «Xcode could not find a valid private-key/certificate pair for this profile in your keychain.»

This error message indicates that your system’s keychain is missing either the public or private key for the certificate you’re using to sign your application.

This often happens when you’re trying to sign and build your application from a different system than the one you originally used to request your code signing certificate. It can also happen if your certificate has expired or has been revoked. Ensure that your app’s provisioning profile contains a valid code signing certificate, and that your system’s Keychain contains that certificate, the private key originally used to generate that certificate, and the WWDR Intermediate Certificate.

For instructions on how to resolve this error, review the Code Signing support page.

What happens to my applications signed with Developer ID if my Apple Developer Program membership expires?

If your membership expires, users can still download, install, and run your applications that are signed with Developer ID. However, once your Developer ID certificate expires, you must be an Apple Developer Program member to get new Developer ID certificates to sign updates and new applications.

Feedback Assistant

Submit bug reports and request enhancements to APIs and developer tools.

Send us feedback

Developer Forums

Ask questions and find answers by Apple engineers and other developers.

Contact Us

Tell us how we can help and we’ll find a solution by phone or email.

Источник

Обновление сертификата и маркеров iOS

Срок действия push-сертификатов Apple MDM, маркеров программы регистрации и маркеров VPP истекает через 365 дней после их создания. Intune for Education оповещает вас, когда сертификат или маркер близки или истекает срок его действия.

Чтобы сохранить связь между учетной записью Intune для образования и учетной записью Apple, необходимо обновить их.

Обновление сертификата Apple MDM

Если сертификат Apple MDM удален, необходимо сбросить и повторно записать устройства с помощью нового сертификата.

Push-сертификат MDM связан с удостоверением Apple ID, который использовался для его создания. Обновить сертификат с помощью этого же удостоверения Apple.

1. Перейдите к настройкам >параметров MDM push-сертификата.
2. Выберите сертификат Renew.
3. Следуйте инструкциям на экране. Не забудьте войти на портал push-сертификатов Apple с помощью apple ID, который использовался для создания исходного сертификата. После обновления и загрузки сертификата вернись в Intune for Education, чтобы выполнить оставшиеся действия на этом экране.
4. Нажмите Сохранить.

Обновление маркера программы регистрации

Ежегодно обновляйте маркер программы регистрации, чтобы поддерживать intune для образования на устройствах вашей школы. Этот процесс требует, чтобы вы зарегистрировались в Apple School Manager, чтобы скачать маркер.

1. Перейдите к маркерам >программы регистрации параметров клиента.
2. Выберите маркер, который необходимо обновить.
3. Щелкните Продлить токен.
4. Следуйте инструкциям на экране. Не забудьте войти в apple School Manager с помощью Apple ID, который использовался для получения исходного маркера. После обновления и загрузки маркера вернись в Intune для образования, чтобы выполнить оставшиеся действия на этом экране.
5. Нажмите Сохранить.

Обновление маркера VPP

Ежегодно обновляйте маркеры VPP, чтобы убедиться, что приобретенные VPP-приложения можно просмотреть и задать в Intune для образования.

Маркер VPP связан с ID Apple, который использовался для его создания. Обновить маркер с помощью этого же apple ID.

1. Перейдите к настройкам >параметров VPP-маркеровклиента.
2. Найдите маркер, который необходимо обновить. Выберите ссылку, которая есть в столбце Связанные приложения.
3. Щелкните Продлить токен.
4. Следуйте инструкциям на экране. Не забудьте войти в apple School Manager с помощью Apple ID, который использовался для получения исходного маркера. После обновления и загрузки маркера вернись в Intune для образования, чтобы выполнить оставшиеся действия на этом экране.

При выборе региона выберите, где находятся устройства вашей школы.

1. Нажмите Сохранить.

Дальнейшие действия

Теперь, когда сертификаты и маркеры обновляются, убедитесь, что параметры группы обновлены. Чтобы просмотреть текущее состояние групп в Intune, узнайте, как просматривать отчеты.

Ознакомьтесь с новыми данными в Intune for Education, чтобы узнать о последних обновлениях и особенностях.

Источник

Renew APNs Certificate in Intune

In one of my previous blogs I explained how to setup the Apple Push certifate (APNs Certificate). In this blog I will show how you can renew your APNs Certificate. It is important that you renew your APNs Certificate before it expires, if you do not do this then you will have issues enrolling new devices (see pic. 1) and managing existing devices.

Picture 1: APNs certificate error during enrollment.

This is because Intune uses the Apple Push notification Service to communicate with enrolled devices. To use the Apple Push Notification Service, Intune requires a valid APNs certificate.

Validity APNs certificate

An APNs certificate is valid for one year. According to this Microsoft blogpost you will recieve an email on the Apple ID used for creating the APNs certificate (30, 10 and 1 day prior to expiring), but I did not recieve these emails for all my accounts. The Expiration Date of the certificate can also be checked in the Apple Push Certificates Portal

Another way to view the validity of the certificate is by checking the MEM admin center. Go to “Devices” -> “iOS/iPadOS” -> “iOS/iPadOS enrollment” or click here and select “Apple MDM Push certificate”. In this overview you can see the current Status, amount of days until expiration and expiration date.

Validate certificates

Before you start renewal you need to check if you’re using the correct accounts and certificates. Go to “Devices” -> “iOS/iPadOS” -> “iOS/iPadOS enrollment” or click here and select “Apple MDM Push certificate”. Make a note of the Subject ID and Serial number.

Open a new browsertab and go to the Apple Push Certificates Portal and login with the same Apple ID used to create the APNs Certificate. Make a note of the UID and Serial number.

Compare the notes you made about the Serial Number and the Subject ID/UID. The Serial number of the APN certificate will change after each renewal. The Subject ID in Intune and the UID in the Apple Push Certicates portal does not change and need to be the same. The UID is unique for every certificate created in the portal. If you try to upload a certificate with a different UID (e.g. when you create a new certificate or use a wrong certificate instead of renewing an existing) you will get a Topic ID error.

Topic ID is the last section after external of the Subject ID or UID (see bold part below).

com.apple.mgmt.External.89a059ad-fe3b-4093-b1e3-560292643c43

This unique identification string is also part of the common name of the PEM certificate issued by the Apple Push Certificates Portal.

Reassignment APNs Certificate

As mentioned earlier, to renew your MDM push certificate you must use the same Apple Third party certificate each time. Therefore, it is important that the certificate is created with a generic account. If this has not happened and you want to change this, there is a possibility to reassign the certificate. To do this you need to contact Apple Deployment Programs Support and open a ticket. After a verification process, the certificate will be moved to the proper account. It will then be visible in the Certificates portal and can be used to renew your MDM push certificate.

Renewal

It’s important that you renew your APNs certificate and you do not create a new APNs certificate. Also you need to renew the expired certificate within the 30 day grace period, otherwise you will get a new certificate. If you use a new certificate you will need to re-enroll all your existing iOS devices. Also you should always use the same apple id to renew the certificate as you used to create the certificate. It’s not possible to change the Apple ID used, but Apple may be able to associate a new Apple ID with an existing certificate.

To renew a certificate you need to perform the following steps:

1. Go to “Devices” -> “iOS/iPadOS” -> “iOS/iPadOS enrollment” or click here and select “Apple MDM Push certificate”. Select “Download your CSR” and save the file.

2. Open a new browsertab and go to the Apple Push Certificates Portal and login with the same Apple ID used to create the APNs Certificate. Select “Renew” to renew the certificate.

3. Press “Choose File” to select the CSR file you downloaded at step 1. Press “Upload” to continue.

4. Press “Download” to download and save the renewed APNs Certificate (*.PEM file).

5. Select the MEM admin center tab in your browser. Enter the Apple ID used to renew the certificate and select the renewed APNs Certificate. Press “Upload” to finish renewal

6. The MDM push certificate has now been updated. The status, days to expiration and expiration date are now updated.

Sources

Updates

31-05-2021 Added Validate Certificates and Sources Section.

Источник