Dev Solve

English

中文
日本語

English

中文
日本語

Appearance

Related Posts

Apple Push Notification Service Certificate Update: Action Required?

APNs Server Certificate Update 2025: Firebase and Third-Party Provider Impact

Enabling Developer Mode on iPhone or iPad

Resolving "Build Input File Cannot Be Found" Error in Xcode

Fixing "Your Ruby version is 2.6.8, but your Gemfile specified 2.7.5" in React Native

APNs Certificate Update 2025

Problem Statement

Apple is updating its Apple Push Notification service (APNs) certificates for both sandbox and production environments. The new root certificate—USERTrust RSA Certification Authority—requires action to avoid push notification failures.

Announcement timelines:

  • Sandbox environment: Effective January 20, 2025
  • Production environment: Effective February 24, 2025

This affects all servers communicating with APNs, including those using token-based authentication. Your client applications (iOS/macOS apps) require no updates since Apple manages device trust stores.

Server-Side Solutions

Backend Action Required

Your server-side infrastructure sending push notifications to APNs must trust the new certificate. The implementation differs between self-managed servers and cloud-managed services.

For Self-Managed Servers

Follow these OS-specific steps to update trust stores:

CentOS/RHEL

  1. Place the PEM-formatted certificate in the anchors directory:
bash
sudo cp USERTrust_RSA_Certificate.pem /etc/pki/ca-trust/source/anchors/
  1. Update the trust store:
bash
sudo update-ca-trust

Debian/Ubuntu

  1. Place the PEM-formatted certificate in the certificates directory:
bash
sudo cp USERTrust_RSA_Certificate.pem /usr/local/share/ca-certificates/
  1. Rebuild the CA database:
bash
sudo update-ca-certificates

Verification Steps

Confirm installation with:

bash
openssl verify /path/to/YOUR_CA_PEM_FILE.pem

Test APNs connectivity:

bash
curl -v https://api.push.apple.com

Look for SSL certificate verify ok in output.

For Managed Cloud Services

No action is required if you use:

  • AWS SNS
  • Firebase Cloud Messaging
  • Other cloud-based notification services

Providers automatically manage certificate updates. Example confirmation for AWS SNS:

"AWS manages certificates and trust stores—no direct action needed."
Source: AWS SNS Documentation

Additional Environments

For non-Linux systems or custom implementations:

  1. Identify your TLS library's trust store (Java, Node.js, Python, etc.)
  2. Add the USERTrust RSA Certificate according to library documentation

Critical Considerations

Deadlines

  • Sandbox endpoints break starting January 20, 2025
  • Production endpoints break starting February 24, 2025

Recommendations

  1. Test in sandbox after January 20
  2. Deploy production updates by Feb 17, 2025 (1-week buffer)
  3. Restart server processes after updates
  4. Monitor APNs error logs for certificate errors after deployment

Summary of Required Actions

EntityAction Required?Notes
iOS/macOS AppNoDevice trust stores auto-update
Backend ServerYesUpdate trust store or confirm cloud provider support
SandboxValidate before Jan 20, 2025Test after implementation
ProductionDeploy before Feb 24, 2025Allow buffer time