Apple announced upcoming changes to the Apple Push Notification service (APNs) Certificate Authority (CA). Organizations using APNs will be required to update their application's trust store to include the new server certificate before 24 February 2025 to prevent communication disruption.
For cloud-hosted environments, the root certificate is already trusted and validated.
For on-premise environments, you may need to download and install the new SHA-2 Root USERTrust RSA Certification Authority certificate to your server's certificate trust store if it is not already trusted on your hosting infrastructure. For more information, see How to Download & Install Sectigo Intermediate Certificates - RSA documentation from Sectigo per Apple's announcement.
Apple has a test server available to allow organizations to send push certificates to verify the correct certificate installation. For more information, see this documentation from the Apple Developer website.
If you have an on-premise environment, Jamf recommends doing the following:
- Check your existing server certificates for sandbox and production environments. If the SHA-2 Root USERTrust RSA Certification Authority certificate is not part of your server's trust store, continue with the following steps.Note:One way to verify if you have the new certificate is to open Terminal and execute the following command, modifying
-verifyCAfileto point to your trust store:openssl s_client -connect 17.188.143.34:443 -servername api.sandbox.push.apple.com -verifyCAfile USERTrustRSACertificationAuthority.crt -showcerts Download the new certificate.
Install the new certificate.
Validate your changes.