András Tóth‘s professional blog
banditoth.net

Hey there 👋, I’m banditoth a .NET MAUI developer from Hungary.
I write about software development with .NET technologies.

You can find me on:
LinkedIn | Github | StackOverflow | X / Twitter | Threads

Prepare your Windows servers for Apple’s APNs certificate update

Apple has announced an important change to the Certification Authority (CA) for Apple Push Notification service (APNs). The update to APNs server certificates will take effect in the sandbox environment on January 20, 2025, and in the production environment on February 24, 2025.

To ensure uninterrupted push notification services, developers must update their application’s Trust Store to include the new SHA-2 Root: USERTrust RSA Certification Authority certificate before the respective cut-off dates.

If You Use Firebase or Microsoft Azure Notification Service

If your application uses Firebase Cloud Messaging (FCM) or Microsoft Azure Notification Hubs, you probably do not need to take any action. These services manage push notifications on behalf of your application, handling all necessary certificate updates internally. Google and Microsoft will ensure their backend services are updated with the new APNs root certificate, so you won’t need to manually update your Trust Store unless you have custom implementations that directly communicate with APNs.

If you directly connect to Apple’s APNs with Windows Servers

Then read on.
It is essential that all Windows servers communicating with APNs trust both the old and new certificates to avoid any disruptions. Below are the steps to correctly import the new root certificate into your Windows servers.

Steps to Update the APNs Certificate on Windows Servers

Step 1: Download the New Root Certificate

  1. Open your web browser and navigate to the official certificate provider’s page: Sectigo Intermediate Certificates
  2. Locate and download the USERTrust RSA Certification Authority root certificate in .cer or .crt format.

Step 2: Open Certificate Manager

  1. Press Win + R to open the Run dialog.
  2. Type certmgr.msc and press Enter.
  3. The Certificate Manager will open, allowing you to manage trusted certificates.

Step 3: Import the New Root Certificate

  1. In Certificate Manager, expand the Trusted Root Certification Authorities folder.
  2. Right-click on the Certificates subfolder.
  3. Select All Tasks > Import.
  4. The Certificate Import Wizard will appear. Click Next.
  5. Browse to the location where you saved the downloaded certificate and select it.
  6. Click Next and follow the prompts to complete the import process.

Step 4: Verify the Import

  1. After the import is complete, navigate to Trusted Root Certification Authorities > Certificates.
  2. Confirm that the USERTrust RSA Certification Authority certificate is listed.

Step 5: Update Group Policy (for Domain-Joined Computers)

If your Windows servers are part of a domain, updating the Group Policy will ensure that all connected machines receive the updated certificate.

  1. Open Group Policy Management Console.
  2. Create or edit an existing Group Policy Object (GPO).
  3. Navigate to Computer Configuration > Windows Settings > Security Settings > Public Key Policies.
  4. Right-click on Trusted Root Certification Authorities and select Import.
  5. Follow the wizard to import the new root certificate.
  6. Apply the GPO to all required machines and restart them if necessary.

Sources

https://developer.apple.com/news/?id=09za8wzy

https://developer.apple.com/news/upcoming-requirements/?id=01202025a

banditoth

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.