APNS CA update

[stager0909]

Hello,
It seems that Apple is planning to change the CA for APNS.
Could you let me know what kind of actions I need to take in relation to this?
https://developer.apple.com/news/?id=09za8wzy

[jchambers]

The main thing here is exactly what Apple has put in the document you linked:

To ensure a smooth transition and avoid push notification delivery failures, please make sure that both old and new server certificates are included in the Trust Store before the cut-off date for each of your application servers that connect to sandbox and production.

To be a little more explicit, you can:

1. Download the certificate from the page linked from Apple's announcement. I am not providing a direct link because it is important that you verify that you've retrieved the certificate from a trusted, credible source and not from some random person on the internet.
2. Get the SHA256 fingerprint of the certificate. One way to do that is with openssl:

openssl x509 -in certificate.crt -noout -fingerprint -sha256

3. Check to see if you have a certificate with that fingerprint in your trust store. You can get a list of trusted certificates in the default trust store with keytool -list -cacerts. If you're using a custom trust store, the process is similar, but you need to specify the trust store with the -keystore argument. Please see the keytool documentation for more information.
4. If the new certificate is already present, you do not need to take any further action.
5. If the new certificate is not present, you'll need to either add it to your trust store or use one of the ApnsClient#setTrustedServerCertificateChain methods.

[suttiwat]

Thanks for info, I also would like to know if I'm using Token authentication for APNS push notification. For this Token authentication, should I do anything about this coming APNS certificate change?

[jchambers]

Yes; you need to prepare for this change even if you're using token-based authentication.

Certificate-based authentication uses mutual TLS (mTLS), in which the client and server both present certificates. In token-based authentication, clients do not present a certificate to the server, but they're still connecting via TLS and must verify the certificate presented by the server.

[suttiwat]

Thank you jchambers. I've done your 5 steps above. And found that In my Google App Engine Flexible environment, it's already have the required CA. Seems that's the beauty of Platform as a service like Google App Engine :D

[musir-dev]

I'm also using Token authentication for APNS push notification and I'm (a lot) confused.
Having a p8 file and using the method https://pushy-apns.org/apidocs/latest/com/eatthepath/pushy/apns/ApnsClientBuilder.html#setSigningKey with related teamID and keyID, how can I check the correctness of certificate that I'm using?

[jchambers]

Having a p8 file… how can I check the correctness of certificate that I'm using?

The process is the same whether you're using certificate-based authentication or token-based authentication.

The change that's coming is that the certificate that APNs servers present to clients will be signed by a new certificate authority. Clients connect to APNs servers using TLS regardless of the authentication method they use, and when they do, the APNs server presents its certificate chain. Clients must verify that chain before they continue communicating with the APNs server.

As a reminder, TLS clients all have a list of certificates that they trust. In the most common case, that list is maintained by the operating system or runtime environment. The most common case for Pushy users is to just use the trusted certificate list included with their JDK. If you have not specified your own custom trust store or trusted server certificate, you're using the JDK-default trust store. The thing you need to check is whether the trust store you're using contains the new certificate authority that Apple will start using in January/February, and that's what's covered by the instructions above.

Does that make sense? If not, can you help me understand which part is confusing? I recognize that TLS and certificates aren't everybody's main professional focus, and this can be a complicated space for folks who don't spend a lot of their time dealing with this kind of thing.