Action Required: Apple Push Notification Service Server Certificate Update

Lathan Theivendran 5

Hi, we reiceved from apple the following message.

Hello, We’re reaching out with a final reminder that the Certification Authority (CA) for Apple Push Notification service (APNs) is changing. APNs updated the server certificates in sandbox on January 21, 2025. APNs production server certificates will be updated on February 24, 2025. To continue using APNs without interruption, you’ll need to update your application’s Trust Store to include the new server certificate: SHA-2 Root: USERTrust RSA Certification Authority certificate.

We are using the Azure Web App Service. The web service sends token-based push notifications directly to the Apple Push server.

So we are not using any Notification Hubs or Firebase.

Do we need to do anything to use the latest certificate Apple is requesting? Does Microsoft update the certificate automatically? Where and how can I check if the certificate is installed for the web app?

Thanks, Lathan

1 answer

Deepanshu katara 13,925 MVP

Hello , welcome to MS Q&A

Also, Microsoft generally maintains the trusted root certificates for Azure Web Apps so, in general, you shouldn't have to do anything here manually. when Apple does an update to its certificate, then Microsoft will add it into the trust store, and hence your web job should continue to send push notifications without any problem.

Please let us know if any further questions

Kindly accept if it helps

Thanks

Deepanshu

Lathan Theivendran 5 Reputation points

2025-02-12T09:28:42.6633333+00:00

Hi Deepanshu,

Thanks for your reply.

I have already seen this post.

Could you confirm if the certificate has been updated in the web app? To ensure that the correct certificate is in use and that the push functionality will work after the given deadline, could you also let me know where I can check the certificate myself?

Thanks, Lathan
Siva Nair 155 Reputation points Microsoft Vendor

2025-02-13T10:44:17.6633333+00:00
Hi Lathan Theivendran,

Welcome to the Microsoft Q&A

In addition to Deepanshu katara response, Please refer below points to check the certificate,

Use OpenSSL to verify the connection to APNs with the new certificate: "openssl s_client -connect api.push.apple.com:443 -showcerts" Look for 'USERTrust RSA Certification Authority' in the certificate chain.

For Windows-based Azure Web Apps: Access the Kudu Console: Go to portal→ Debug Console → CMD/PowerShell. List Trusted Certificates: Run in PowerShell: Get-ChildItem -Path Cert:\LocalMachine\Root | Where-Object { $_.Subject -like "USERTrust" } If the 'USERTrust RSA Certification Authority' appears, it’s already trusted.

For Linux-based Azure Web Apps: Enable SSH in your Web App and connect. Run: [grep -Ri "USERTrust RSA Certification Authority" /etc/ssl/certs/]. Check if the certificate exists in /etc/ssl/certs/.

Update Dependencies: Ensure your app’s libraries (e.g., .NET, Java, Node.js) use the OS trust store and not a pinned certificate.

If you have any further assistant, do let me know.

If the answer is helpful, please click Accept Answer and kindly upvote it so that other people who faces similar issue may get benefitted from it.
Lathan Theivendran 5 Reputation points

2025-02-13T11:24:56.0866667+00:00

Hi @Siva Nair

i have tried on the azure web app kudo:
There is no certificate listed.

I tried also by checking the current user certificates
Get-ChildItem -Path Cert:\CurrentUser\Root | Where-Object { $_.Subject -like "USERTrust" }
still nothing is listed.

I checked these also on 3 different resources.

I our app is no certificate pinned.
Siva Nair 155 Reputation points Microsoft Vendor

2025-02-17T06:12:01.8833333+00:00
Hi Lathan Theivendran,

Welcome to the Microsoft Q&A

Can you share the result of this point so that we can help you better on this.

Use OpenSSL to verify the connection to APNs with the new certificate: "openssl s_client -connect api.push.apple.com:443 -showcerts" Look for 'USERTrust RSA Certification Authority' in the certificate chain.

If you have any further assistant, do let me know.

Lathan Theivendran 5

Hi @Siva Nair

this is the result, there is nothing with USERTrust RSA Certificate

PS C:\home> openssl s_client -connect api.push.apple.com:443 -showcerts
openssl s_client -connect api.push.apple.com:443 -showcerts
Connecting to 17.188.170.97
depth=2 CONNECTED(00000004)
---

Certificate chain
 0 s:C=US, ST=California, O=Apple Inc., CN=api.push.apple.com
   i:CN=Apple Public Server RSA CA 12 - G1, O=Apple Inc., ST=California, C=US
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jun 19 16:31:31 2024 GMT; NotAfter: Apr 10 00:00:00 2025 GMT
 1 s:CN=Apple Public Server RSA CA 12 - G1, O=Apple Inc., ST=California, C=US
   i:C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=AAA Certificate Services
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jun 19 00:00:00 2019 GMT; NotAfter: Dec  6 23:59:59 2028 GMT
---
Server certificate
subject=C=US, ST=California, O=Apple Inc., CN=api.push.apple.com
issuer=CN=Apple Public Server RSA CA 12 - G1, O=Apple Inc., ST=California, C=US
---
Acceptable client certificate CA names
C=US, O=Apple Inc., OU=Apple Certification Authority, CN=Apple Root CA
CN=Apple Worldwide Developer Relations Certification Authority, OU=G4, O=Apple Inc., C=US

CN=Apple Application Integration 2 Certification Authority, OU=Apple Certification Authority, O=Apple Inc., C=US

CN=Apple Corporate Authentication CA 1, OU=Certification Authority, O=Apple Inc., C=US
C=US, O=Apple Inc., OU=Apple Worldwide Developer Relations, CN=Apple Worldwide Developer Relations Certification Authority

CN=Apple Corporate Root CA, OU=Certification Authority, O=Apple Inc., C=US
C=US, O=Apple Inc., OU=Apple Certification Authority, CN=Apple Application Integration Certification Authority

Requested Signature Algorithms: ECDSA+SHA256:RSA-PSS+SHA256:RSA+SHA256:ECDSA+SHA384:RSA-PSS+SHA384:RSA+SHA384:RSA-PSS+SHA512:RSA+SHA512:RSA+SHA1

Shared Requested Signature Algorithms: ECDSA+SHA256:RSA-PSS+SHA256:RSA+SHA256:ECDSA+SHA384:RSA-PSS+SHA384:RSA+SHA384:RSA-PSS+SHA512:RSA+SHA512

Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4564 bytes and written 436 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---

@@C=GB, ST=Greater Manchester, L=Salford, O=Comodo CA Limited, CN=AAA Certificate Services
verify return:1
depth=1 CN=Apple Public Server RSA CA 12 - G1, O=Apple Inc., ST=California, C=US
verify return:1
depth=0 C=US, ST=California, O=Apple Inc., CN=api.push.apple.com
verify return:1
XÿÿÿHTTP/2 client preface string missing or corrupt. Hex dump for received bytes: 0a---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: ...
    Session-ID-ctx: 
    Resumption PSK: ...
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 172800 (seconds)
    TLS session ticket:
..
..
    Start Time: 1739778191
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: .....
    Session-ID-ctx: 
    Resumption PSK: ....
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 172800 (seconds)
    TLS session ticket:
...
...
    Start Time: 1739778191
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
closed

Lathan Theivendran 5

i tried this to connect to api.development.push.apple.com:443 with the ssl.
There the 'USERTrust RSA Certification Authority' existing.

PS C:\home> openssl s_client -connect api.development.push.apple.com:443 -showcerts
Connecting to 17.188.168.135
depth=2 CONNECTED(00000004)
---
Certificate chain
 0 s:C=US, ST=California, O=Apple Inc., CN=api.sandbox.push.apple.com
   i:CN=Apple Public Server RSA CA 11 - G1, O=Apple Inc., ST=California, C=US
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jan  6 21:59:52 2025 GMT; NotAfter: Jan 28 19:25:34 2026 GMT
-----BEGIN CERTIFICATE-----
..
-----END CERTIFICATE-----
 1 s:CN=Apple Public Server RSA CA 11 - G1, O=Apple Inc., ST=California, C=US
   i:C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA384
   v:NotBefore: Jun 19 00:00:00 2019 GMT; NotAfter: Dec  4 23:59:59 2030 GMT
-----BEGIN CERTIFICATE-----
..
-----END CERTIFICATE-----
---
Server certificate
subject=C=US, ST=California, O=Apple Inc., CN=api.sandbox.push.apple.com
issuer=CN=Apple Public Server RSA CA 11 - G1, O=Apple Inc., ST=California, C=US
---
Acceptable client certificate CA names
C=US, O=Apple Inc., OU=Apple Certification Authority, CN=Apple Root CA
CN=Apple Worldwide Developer Relations Certification Authority, OU=G4, O=Apple Inc., C=US
CN=Apple Application Integration 2 Certification Authority, OU=Apple Certification Authority, O=Apple Inc., C=US
C=US, ST=CA, L=Cupertino, O=Apple Inc., OU=Internet Software and Services, CN=iCloud Test, emailAddress=******@group.apple.com
CN=Apple Corporate Authentication CA 1, OU=Certification Authority, O=Apple Inc., C=US
C=US, O=Apple Inc., OU=Apple Worldwide Developer Relations, CN=Apple Worldwide Developer Relations Certification Authority
CN=Apple Corporate Root CA, OU=Certification Authority, O=Apple Inc., C=US
C=US, O=Apple Inc., OU=Apple Certification Authority, CN=Apple Application Integration Certification Authority
Requested Signature Algorithms: ECDSA+SHA256:RSA-PSS+SHA256:RSA+SHA256:ECDSA+SHA384:RSA-PSS+SHA384:RSA+SHA384:RSA-PSS+SHA512:RSA+SHA512:RSA+SHA1
Shared Requested Signature Algorithms: ECDSA+SHA256:RSA-PSS+SHA256:RSA+SHA256:ECDSA+SHA384:RSA-PSS+SHA384:RSA+SHA384:RSA-PSS+SHA512:RSA+SHA512
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4974 bytes and written 448 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
@@C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority
verify return:1
depth=1 CN=Apple Public Server RSA CA 11 - G1, O=Apple Inc., ST=California, C=US
verify return:1
depth=0 C=US, ST=California, O=Apple Inc., CN=api.sandbox.push.apple.com
verify return:1
XÿÿÿHTTP/2 client preface string missing or corrupt. Hex dump for received bytes: 0a---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: ..
    Session-ID-ctx: 
    Resumption PSK: ..
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 172800 (seconds)
    TLS session ticket:
..
    Start Time: 1739778895
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_AES_256_GCM_SHA384
    Session-ID: ..
    Session-ID-ctx: 
    Resumption PSK: ..
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 172800 (seconds)
    TLS session ticket:
..
    Start Time: 1739778895
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
closed

Siva Nair 155 Reputation points Microsoft Vendor

2025-02-17T09:00:57.6466667+00:00
Hi Lathan Theivendran,

Welcome to the Microsoft Q&A.

We need to update it manually in your web server IIS,

Download the latest USERTrust RSA Certification Authority certificate from a trusted source like the official USERTrust website.

Install the new certificate: For web servers, you will need to replace the existing certificate and intermediate certificates with the ones from USERTrust. This typically involves:

Updating the SSL certificate file for your server.

Configuring the server to use the updated certificates in the chain.

Restarting the server to apply the changes.

Verify the update: After replacing the certificate, you can run the openssl s_client -connect command again to verify that the USERTrust RSA certificate is part of the chain and being presented correctly.

If you have any further assistant, do let me know, once you tried the above steps to update the certificate in web server.
Lathan Theivendran 5 Reputation points

2025-02-17T09:28:03.56+00:00

Hi @Siva Nair

we are just using as arleady mentioned only the Web App from Azure
And till today we didnt managed any of the USERTrust Certificates or any other certificates.

If i see correctly for the sandbox of apple apns (api.development.push.apple.com:443), its already showing the USERTrust RSA as i mentionen in the 2dn comment.

Share via

Action Required: Apple Push Notification Service Server Certificate Update

1 answer

Your answer