Creating an Apple APNS
Certificate
4/20/2012 Creating an Apple APNS Certificate
Created by Britt Womelsdorf Edited by
Mark S. Ciminello, MBA, PMP
The purpose of this document is to outline the steps necessary to
create and acquire an Apple Push Notifications Service (“APNS”)
Certificate to enable Apple iOS MDM capabilities for SAP
customers in Afaria.
Creating an Apple APNS
Certificate
C R E A T I N G T H E A P P L E C E R T
Contents
OVERVIEW ... 2
Mobile Device Management in iOS ... 2
Afaria and the Apple Push Notification Service ... 2
Certificate Creation Process ... 3
CREATE CERTIFICATE REQUEST... 4
Generating an APNS Certificate Request on a Windows Server ... 4
SIGNING THE CERTIFICATE REQUEST ... 8
OBTAINING THE APNS CERTIFICATE FROM APPLE ... 10
Upload SCRS file to Apple ... 10
Obtaining the additional Apple Root and Intermediate Certificates to be used with the new APNS Certificate ... 13
COMPLETING THE CERTIFICATE REQUEST ... 14
Completing the CSR on a Windows Server Using IIS Manager ... 14
INSTALLING THE CERTIFICATES ON THE AFARIA SERVER... 19
OVERVIEW
The purpose of this document is to create an Apple certificate (“cert”) that can be used with Afaria to enable Apple Push Notifications (“APNS”) within the Afaria environment.
The Apple APNS cert is required by Afaria to communicate with the device while it interacts with the Afaria device client.
Mobile Device Management in iOS
Mobile Device Management (“MDM”) such as Afaria gives businesses the ability to manage large scale deployments of iOS devices, including the iPhone, iPad and even the iPod.
This provides the ability for Afaria to securely enroll devices in an enterprise environment, wirelessly configure and update settings, monitor compliance with corporate policies, and remotely wipe or lock managed devices, and other controls.
Most management functions are completed behind the scenes with no user interaction required. For example, if you wanted to update your VPN infrastructure for example, the Afaria server can configure your iOS devices with new account information over the air.
The next time VPN is used, the appropriate configuration is already in place, so the employee doesn’t need to call the help desk or manually modify settings.
Afaria and the Apple Push Notification Service
When the Afaria server wants to communicate with any iOS device such as an iPhone, iPad, or even a wifi-capable iPod1, a silent notification is sent to the device via the Apple Push Notification service, prompting it to check in with the server. The process of notifying the device through this service does not actually send any proprietary information to or from the Apple Push Notification service.
The only task performed by the push notification is to wake the device so it checks in with the Afaria server. All configuration information, settings, and queries are sent directly from the server to the iOS device over an encrypted SSL/TLS connection between the device
1 Applies to select models of iPods.
SAP Afaria Server
and the Afaria server. Apple iOS handles all Afaria requests and actions in the
background to limit the impact on the user experience, including battery life, performance, and reliability.
In order for the push notification server to recognize commands from the Afaria server, a certificate must first be installed on the server. This certificate must be requested and downloaded from the Apple Push Certificates Portal. Once the APNS certificate is uploaded into the Afaria server, devices can begin to be enrolled.
For more information on requesting an Apple Push Notification certificate for MDM, visit www.apple.com/business/mdm.
Certificate Creation Process
To use MDM, you’ll need to install an SSL certificate obtained from Apple on your MDM server. This certificate enables your server to securely communicate with the Apple Push Notification service. Requesting a certificate is simple and free.
Follow these instructions to get started:
1. Create Certificate Request. SAP will generate the initial signed Certificate Signing Request (CSR). SAP will sign a customer’s CSR and deliver it to the customer.
2. Obtain APNS Certificate. Once you have a signed CSR from SAP, upload the signed Certificate Request field and download a Certificate file with a valid Apple ID.
3. Complete the Certificate. Complete and export the certificate as a certificate file.
4. Load Certificate into Afaria. This certificate can now be uploaded to Afaria for use with the Apple Push Notification service.
The following sections walk you through the steps required to generate the APNS certificate required by Apple.
CREATE CERTIFICATE REQUEST
This section outlines the steps necessary to initiate the certificate request.
Important: You will need to ensure that you are installing the certificate on the same server that you generated the CSR on for successful association of the private key that was created during the CSR process.
Generating an APNS Certificate Request on a Windows Server
Click on the Start Menu, go to Administrative Tools, and click on Internet Information Services (IIS) Manager.
Click on the name of the server in the Connections column on the left.
Under the IIS section in the center window pane, double-click “Server Certificates.”
In the Actions column on the right, click on Create Certificate Request....
On the Distinguished Name Properties window, enter the following information:
Common Name. The name of the person generating the request (any name can be entered into this field).
Organization. The legal name of your organization.
Organizational Unit. The division of your organization handling the certificate (Most CAs don’t validate this field).
City/Locality. The city where your organization is located.
State/province. The state/region where your organization is located.
Country/Region. The two-letter ISO code for the country where your organization is located.
Click on Next.
The Request Certificate dialog box is displayed.
Leave the default Cryptographic Service Provider (Microsoft RSA...). Increase the Bit Length to 2048 or higher. Click Next.
Click the button with the three dots and enter a location and filename where you want to save the CSR file.
Click Finish.
The file is typically in the format *.txt.
SIGNING THE CERTIFICATE REQUEST
An Apple APNS Certificate must be signed by a Mobile Device Management vendor.
This process may only be addressed by an SAP Solution Engineer having a valid Sybase Frontline Support ID.
Go to the Sybase web site for Frontline Support (http://frontline.sybase.com). Sign in using your Technical Support ID.
Click on Apple CSR Signing and then Browse. Find your CSR request file, select it, and then click on Upload and Sign.
Your file will be signed immediately, and you can now download the signed certificate request file. Click on Download Signed Certificate Signing Request (SCSR) and download the file to your desktop.
The file downloaded will be in the file format *.scsr.
OBTAINING THE APNS CERTIFICATE FROM APPLE
In this section, you will take the signed CSR file, upload it to the Apple web site for Push Notifications, and download the resulting APNS certificate.
Upload SCRS file to Apple
In a web browser, go to the Apple Push Certificates Portal website at https://identity.apple.com/pushcert.
Note:
1. This can be any valid Apple ID. This doesn’t have to be an Apple ID associated with an Apple Developer Account.
2. This process does not work in Internet Explorer, it is recommended you use Chrome or Safari
Sign in using your Apple ID and password.
After you are logged in, select the Create a Certificate button.
Be sure to read the Terms of Use and accept the End User License Agreement.
Select the Choose File button to browse to the .SCSR file provided by Sybase.
Select the Upload button.
If successfully uploaded, the MDM certificate will be displayed on the “Certificates for Third-Party Servers” screen.
This screen is where all certificates issued under the logged in Apple ID will be displayed.
Select the Download button to receive the Apple certificate.
The obtained certificate will be in “*.pem” format.
You can now log out of the Apple Push Certificates Portal.
Obtaining the additional Apple Root and Intermediate
Certificates to be used with the new APNS Certificate
The new APNS certificate obtained from the Apple Push Certificates Portal requires a different Root and Intermediate certificate than the APNS certificate you obtain from the Apple Developer Portal. To obtain these new certificates, in a web browser, go to http://www.apple.com/certificateauthority
In the Apple Root Certificates section, download the Apple Inc. Root Certificate.
In the Apple Intermediate Certificates section, download the Application Integration (AAICA) certificate.
COMPLETING THE CERTIFICATE REQUEST
You can complete the Certificate Request either through Windows Server or through a Mac.
Completing the CSR on a Windows Server Using IIS Manager
Copy the .pem certificate file to the Windows Server.
Click on the Start Menu, go to Administrative Tools, and click on Internet Information Services (IIS) Manager.
The IIS Manager is displayed.
Click on the name of the server in the Connections column on the left. Double-click on Server Certificates.
In the Actions column on the right, click on Complete Certificate Request....
The Complete Certificate Request dialog box is displayed.
Click the button with the three dots and select the .pem certificate that you received from the Apple Push Certificates Portal.
If the certificate doesn’t have a .cer file extension, select to view all types.
Enter a friendly name you want so you can keep track of the certificate on this server.
Click OK.
If successful, you will see the certificate in the list. If you receive an error stating that the request or private key can’t be found, make sure you are using the correct certificate and that you are installing it to the same server that you generated the CSR on.
Now, you need to export the APNS certificate to the correct format.
Right-click the certificate you just imported and select Export.
Click the button with the three dots to specify a path to save the certificate file in .pfx format. When exporting the certificate, you are required to enter a password used for exporting the certificate. (Don’t forget the password)
Now, you should have the certificate in .pfx format. Proceed to the section titled
“Instructions for Installing Certificates on the Afaria Server” to complete the process.
INSTALLING THE CERTIFICATES ON THE AFARIA SERVER
Launch the Afaria Console and navigate to the Server Component iOS Notification Tab:
Click on Browse, and then navigate to the .pfx certificate created in the previous step, enter the .pfx password and then click on Install:
Once the certificate has successfully uploaded, restart the Afaria Service:
Once the Afaria Service, it is recommended that you validate the certificate by enrolling a single iOS device and sending a remote lock command. (Remote Wipe if it is your co-workers phone)
