Dev Solve

English

中文
日本語

English

中文
日本語

Appearance

Related Posts

Apple Push Notification Service Certificate Update: Action Required?

APNs Certificate Update 2025

Server Trust Store Update for Apple's New APNs Root Certificate

Enabling Developer Mode on iPhone or iPad

Resolving "Build Input File Cannot Be Found" Error in Xcode

APNs Server Certificate Update 2025: Firebase and Third-Party Provider Impact

Problem Statement

In 2025, Apple will update the Certification Authority (CA) for its Push Notification service (APNs) server certificates. This change affects how servers connect to Apple's push services. Developers using Firebase Cloud Messaging (FCM) with APNs certificates or authentication keys are concerned whether this requires:

  1. Updates to their Firebase projects
  2. Changes to APNs certificate/auth key configurations
  3. Server-side modifications to maintain push notification functionality

Solution Overview

ℹ️ Key Insight
Apple's certificate change only affects direct connections to APNs. If you use third-party providers like Firebase or AWS SNS, these services handle certificate updates on their infrastructure. For most developers, no action is required.

For Firebase (FCM) Users

No Action Required

If you send notifications through Firebase Cloud Messaging:

  • Firebase manages APNs connections and certificates
  • Google updates FCM servers automatically
  • This applies to all authentication methods, including:
    • APNs certificates
    • APNs authentication keys

Why This Works:

  1. FCM acts as an intermediary between your app and APNs
  2. Firebase's infrastructure handles certificate validation
  3. Your authentication credentials only authorize FCM→APNs communication

Firebase APNs Flow

🗣️ Firebase Team Confirmation:
"If you use FCM you are already good for this change. The changes are purely on servers sending directly to APNS, which if you are using FCM, you are not doing." (Source)

For Other Third-Party Services

ServiceAction RequiredDocumentation
AWS SNS❌ NoAWS Announcement
Courier❌ NoCourier Blog
Other Managed❌ NoVerify with your provider

For Direct APNs Connections

Action Required

Only if you operate your own server connecting directly to APNs (e.g., using node-apn or apns2 libraries):

  1. Update to the latest library versions
  2. Ensure your server trusts the new CA (USERTrust RSA)
  3. Verify connection after Apple's cutover date
bash
# Example Openssl verification command (run on your server post-update)
openssl s_client -connect api.push.apple.com:443 -showcerts

Critical Steps for Self-Hosted:

  1. Update root CA certificates on your server
  2. Test APNs connectivity using development environment
  3. Monitor Apple's Developer Forums for updates
Your ConfigurationRequired Action
Firebase + APNs Certificate/Key✅ None
Other Managed Providers✅ None
Custom APNs Server✅ Update Certificates
React Native/Flutter⚠️ None (if using FCM)

📆 Timeline: Apple will announce exact cutover dates through official channels. Bookmark:

Frequently Asked Questions

What if I use both direct APNs and Firebase?
Only your custom server components require updates. Firebase-connected components are unaffected.

Will older iOS versions be affected?
No, this change is server-side. Device compatibility remains unchanged.

How do I verify compliance?
Test notifications using:

bash
curl -v -d '{"aps":{"alert":"Test"}}' \
  -H "apns-topic: YOUR_BUNDLE_ID" \
  --http2 \
  --cert path/to/cert \
  https://api.push.apple.com/3/device/DEVICE_TOKEN

References

  1. Apple Developer Forums Announcement
  2. AWS SNS Documentation
  3. Courier Implementation Guide
  4. Firebase Cloud Messaging Documentation