Sending Apple Push Notifications in ASP.NET and C# – part 2 (Generating APNS Certificates)

In last post we covered concepts of push notification, and in this post we will learn how to generate Apple Push Notification certificate to sign our requests.

Why do you need an Apple APNS certificate?

Apple requires that each organization maintain their own certificate to ensure a secure mechanism for their corporate devices to communicate across Apple’s push notification messaging network.

Generating the Apple Push Notification SSL certificate on Mac:

To request an iPhone Development Certificate, you first need to generate a Certificate Signing Request (CSR) utilizing the Keychain Access application in Mac OS X Leopard. The creation of a CSR will prompt Keychain Access to simultaneously generate your public and private key pair establishing your iPhone Developer identity. Your private key is stored in the login Keychain by default and can be viewed in the Keychain Access application under the ‘Keys’ category. To generate a CSR:

1. In your Applications folder, open the Utilities folder and launch Keychain Access.
2. In the Preferences menu, set Online Certificate Status Protocol (OSCP) and Certificate Revocation List (CRL) to “Off”.

3. Choose Keychain Access -> Certificate Assistant -> Request a Certificate from a Certificate Authority. Note: If you have a noncompliant private key highlighted in the Keychain during this process, the resulting Certificate Request will not be accepted by the Program Portal. Confirm that you are selecting “Request a Certificate From a Certificate Authority…” and not selecting “Request a Certificate From a Certificate Authority with …”

4. In the User Email Address field, enter your email address. Please ensure that the email address entered matches the information that was submitted when you registered as an iPhone Developer.

5. In the Common Name field enter your name. Please ensure that the name entered matches the information that was submitted when you registered as an iPhone Developer.

6. No CA (Certificate Authority) Email Address is required. The ‘Required’ message will be removed after completing the following step.

7.Select the ‘Saved to Disk’ radio button and if prompted, select ‘Let me specify key pair information’ and click ‘Continue’.

8.If ‘Let me specify key pair’ was selected, specify a file name and click ‘Save’. In the following screen select ‘2048 bits’ for the Key Size and ‘RSA’ for the Algorithm. Click ‘Continue’.

9.The Certificate Assistant will create a CSR file on your desktop.

Submitting a Certificate Signing Request for Approval

  1. After creating a CSR, log in to the iPhone Developer Program Portal and navigate to ‘Certificates’ > ‘Development’ and click ‘Add Certificate’.
  2. Click the ‘Choose file’ button, select your CSR and click ‘Submit’. If the Key Size was not set to 2048 bits during the CSR creation process, the Portal will reject the CSR.
  3. Upon submission, Team Admins will be notified via email of the certificate request.
  4. Once your CSR is approved or rejected by a Team Admin, you will be notified via email of the change in your certificate status.


Approving Certificate Signing Requests

  1. After submitting a CSR for approval, Team Admins will be directed to the ‘Development’ tab of the ‘Certificates’ section. Here, CSRs can be approved or rejected by clicking the corresponding action next to each request.
  2. Once a CSR is approved or rejected, the requesting Team Member is notified via email of the change in their certificate status. Each iPhone Development Certificate is available to both the Team Member who submitted the CSR for approval and to the Team Admin(s).

Downloading and Installing Development Certificates

  1. In the ‘Certificates’ > ’Distribution’ section of the Portal, control-click the WWDR Intermediate Certificate link and select “Saved Linked File to Downloads” to initiate download of the certificate.
  2. On your local machine, double-click the WWDR Intermediate certificate to launch Keychain Access and install.
  3. Upon CSR approval, Team Members and Team Admins can download their certificates via the ‘Certificates’ section of the Program Portal. Click ‘Download’ next to the certificate name to download your iPhone Development Certificate to your local machine.
  4. On your local machine, double-click the downloaded .cer file to launch Keychain Access and install your certificate.
  5. Team Members can only download their own iPhone Development Certificates. Team Admins have the authority to download the public certificates of all of their Team Members. Apple never receives the private key for a CSR. The private keys are not available to anyone except the original key pair creator and are stored in the system keychain of that Team Member.

Generating an App ID

  1. Team Agents or Team Admins should navigate to the ‘App ID’ section of the Program Portal.
  2. Click ‘Add ID’.
  3. Enter a common name for your App ID. This is a name for easy reference and identification within the Program Portal.
  4. Enter a Bundle Identifier in the free-form text field. The recommended usage is a reverse-domain name style string, e.g., com.domainname.applicationname. For a suite of applications sharing the same Keychain access, you should use a wild-card character in the Bundle Identifier
    (e.g. com.domainname.* or *). This Bundle Identifier will need to match whatever CF Bundle Identifier you use for your application in Xcode.
  5. You need to create an App ID without .* in the iPhone developer Portal. An App ID without .* means its unique and works only for a single application(for Push-Notification).
  6. Click ‘Submit’. At this time, the 10 character Bundle Seed ID is generated and concatenated with the Bundle Identifier you entered. This resulting string is your App ID. Note: The Bundle Seed ID does not need to be entered into Xcode.
  7. Generate a new App ID for each set of applications with shared Keychain Access needs. If you are creating a suite of applications that will share the same Keychain access (e.g. sharing passwords between applications) or have a set of applications with no Keychain Access requirements, create a single App ID for all applications utilizing a trailing asterisk as a wild-card character.

Registering an App ID for Apple Push Notification service

  1. In the App ID section of the Program Portal, locate the App ID you wish to use with the Apple Push Notification service. Only App IDs with a specific bundle ID can be used with the APNs. You cannot use a “wild-card” application ID. You must see “Available” under the Apple Push Notification service column to register this App ID and configure a certificate for this App ID.
  2. Click the ‘Details’ link next to your desired App ID.
  3. In the Configure App ID page, check the Enable Push Notification Services box and click the Configure button. Clicking this button launches the APNs Assistant, which guides you through the next series of steps that create your App ID specific Client SSL certificate.
  4. Download the Client SSL certificate file to your download location. Navigate to that location and double-click the certificate file (which has an extension of cer) to install it in your keychain.
  5. When you are finished, click Done in the APNS Assistant.
  6. Double-clicking the file launches Keychain Access. Make sure you install the certificate in your login keychain on the computer you are using for provider development. The APNs SSL certificate should be installed on your notification server.
  7. When you finish these steps you are returned to the Configure App ID page of the iPhone Dev Center portal. The certificate should be badged with a green circle and the label “Enabled”.
  8. To complete the APNs set-up process, you will need to create a new provisioning profile containing your APNs-enabled App ID.

Creating a Development Provisioning Profile

  1. In the ‘Provisioning’ section of the Portal, Team Admins should click ‘Add’ on the Development tab.
  2. Enter a name for the provisioning profile.
  3. Specify which devices will be associated with the provisioning profile. You must specify a device in order for that device to utilize the provisioning profile. If a device’s UDID is not included in the provisioning profile the profile and your application cannot be installed on that device.
  4. Specify which iPhone Development Certificates will be associated with the provisioning profile. You must specify an iPhone Development Certificate in order for the application code signed with that same certificate to run on the device.
  5. Specify a single App ID for the Development Provisioning Profile. Each Development Provisioning Profile can specify only ONE App ID, therefore, if you have applications requiring different Keychain access, you will need to create a separate Development Provisioning Profile for each of those applications. If you are installing a suite of applications with the same required Keychain access or have a set of applications not requiring access to the Keychain, use an App ID containing the wild-card asterisk character to build all of your applications.
  6. Click ‘Submit’ to generate your Development Provisioning Profile.

Installing a Development Provisioning Profile

All Team Agents, Admins and Members can download a Development Provisioning Profile from the ‘Provisioning’ section of the Portal after it has been created. Only those developers whose Apple device IDs and iPhone Development Certificates are included in the provisioning profile will be able to install and test their application on their device.

  1. In the ‘Provisioning’ section of the Program Portal, click the download button next to the desired provisioning profile.
  2. Drag the downloaded file onto the Xcode application icon in the dock or into the ‘Organizer’ window within Xcode. This will automatically copy the .mobileprovision file to the proper directory. Alternatively, you can drag the .mobileprovision file onto the iTunes icon in the dock or copy the file to ‘~/Library/MobileDevice/Provisioning Profiles’. If the directory does not exist you will need to create it. Click on the ‘+’ button in the Provisioning section of the Organizer window to install your .mobileprovision file.


Building and Installing your Development Application

Now that you have an approved iPhone Development Certificate, an assigned Apple device and a properly installed Development Provisioning Profile, Xcode can now build your application and install it on your development device. If you have a single iPhone Development Certificate and iPhone Development Provisioning Profile, you don’t need to change any settings in Xcode to start running your applications. To compile and install your code:

  1. Launch Xcode and open your project.
  2. In the Project Window, select ‘Device – iPhone OS’ from the ‘Device | Debug’ drop down menu in the upper-left hand corner.
  3. Highlight the project Target and select the ‘Info’ icon from the top menu bar.
  4. In the Target Info window, navigate to the ‘Build’ pane. Click the ‘Any iPhone OS Device’ pop-up menu below the ‘Code Signing Identity’ field and select the iPhone Development Certificate/Provisioning Profile pair you wish to sign and install your code with. Your iPhone Development certificate will be in bold with the Provisioning Profile associated with it in grey above. In the example below, ‘iPhone Developer: Team Leader’ is the Development Certificate and ‘My First Development Provisioning Profile’ is the .mobileprovision file paired with it.Note: If the private key for your iPhone Development certificate is missing, or if your iPhone Development certificate is not included in a provisioning profile, you will be unable to select the iPhone Development Certificate/Provisioning Profile pair and you will see the following. Re-installing the private key or downloading a provisioning profile with your iPhone Development certificate included in it will correct this.
  5. In the Properties Pane of the Target Info window, enter the Bundle Identifier portion of your App ID. If you have used an explicit App ID you must enter the Bundle Identifier portion of the App ID in the Identifier field. For example enter com.domainname.applicationname if your App ID is A1B2C3D4E5.com.domainname.applicationname. If you have used a wildcard asterisk character in your App ID, replace the asterisk with whatever string you choose.


In my next post, I will cover Apple Push Notifications certificates installation on windows.

About these ads

Posted on April 1, 2011, in Apple push notifications, Asp.net, C# and tagged , , , , . Bookmark the permalink. 9 Comments.

  1. Sorry I have no idea about that error, But I would be thankful if you share the fix with us.

  2. Hi Fernando,
    I’m not sure if you have fixed that error, if not try to generate your certificates as follows:
    Here is how to create a PKCS12 format file using open ssl, you will need your developer private key (which can be exported from the keychain) and the CertificateSigningRequest??.certSigningRequest

    1. Convert apn_developer_identity.cer (der format) to pem:

    openssl x509 -in apn_developer_identity.cer -inform DER -out apn_developer_identity.pem -outform PEM}

    2. Next, Convert p12 private key to pem (requires the input of a minimum 4 char password):

    openssl pkcs12 -nocerts -out private_dev_key.pem -in private_dev_key.p12

    3. (Optional): If you want to remove password from the private key:

    openssl rsa -out private_key_noenc.pem -in private_key.pem

    4. Take the certificate and the key (with or without password) and create a PKCS#12 format file:

    openssl pkcs12 -export -in apn_developer_identity.pem -inkey private_key_noenc.pem -certfile CertificateSigningRequest??.certSigningRequest -name “apn_developer_identity” -out apn_developer_identity.p12

  3. Would it be possible for you to write a summary for this step?
    What certs do I need to have when I finish this step?

    If I got it correctly then it is the p12/cert for push notifications (one for dev one for prod) and the cert for iphone developer.

    am I right?
    Thanks again.

  4. This is a great tutorial, but I’m getting a bit confused on how to convert the certificates downloaded and inserted into the keychain into the format required (p12) for windows using OpenSSL. The comment above to Fernando uses different names than I have. For example, the CER file i downloaded from Apple Provisioning portal is called “aps_developer_identity.cer”, but yours is “apn…” Also, where does “private_dev_key.pem” come from? how do I get that file?

    Sorry for the trouble, but I am a newbie to certificates and have spent a couple days trying to make it work without any luck. Any help would be greatly appreciated!

    Thank you in advance!

    Deep

    • Hi Deep,
      I hope this helps you :

      1. Convert apn_developer_identity.cer (der format) to pem:
      openssl x509 -in apn_developer_identity.cer -inform DER -out apn_developer_identity.pem -outform PEM}
      2. Next, Convert p12 private key to pem (requires the input of a minimum 4 char password):
      openssl pkcs12 -nocerts -out private_dev_key.pem -in private_dev_key.p12
      3. (Optional): If you want to remove password from the private key:
      openssl rsa -out private_key_noenc.pem -in private_key.pem
      4. Take the certificate and the key (with or without password) and create a PKCS#12 format file:
      openssl pkcs12 -export -in apn_developer_identity.pem -inkey private_key_noenc.pem -certfile CertificateSigningRequest??.certSigningRequest -name “apn_developer_identity” -out apn_developer_identity.p12

  5. Hello! This post could not be written any better! Reading through this post reminds me of my old room mate!
    He always kept chatting about this. I will forward this article to him.
    Fairly certain he will have a good read. Many thanks for sharing!

  6. Is there a hard copy book similar to this article?
    Just want to see if I can read up much more on it.
    Any suggestions would be wonderful thank you! :)

  1. Pingback: Sending Apple Push Notifications in ASP.NET – part 1 « .:: Asp.net Dev days ::.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: