If you’ve tried to create or update your iOS app key with a recent .p12 certificate file downloaded from Apple, you may have run into problems.

Update: Apple’s new .p12 format is now handled natively by the tooling. See this post for more details.

(Old information is preserved below for historical purposes)


On IBM Marketing Cloud Push Notifications (Xtify 3.x), you will see an error message: “APNs certificate mismatch: production environment does not match certificate: C=US, OU=(random OU), CN=Apple Development IOS Push Services: (your package ID), UID=(your package ID)” if you upload the new .p12 format. On IMC you will not be able to create or update your app key.

On Xtify 2.x it will appear that you have a valid certificate, but your pushes will not be delivered.

The reason for this is that as of April 27, 2016 Apple changed the format of the APNS certificates they issued. The new .p12 file they provide contains both production and development certificates.

IBM developers are working to update our certificate import code to accept the new format.

In the meantime, if your certificate is expiring and you need to update it, here’s how to extract the appropriate certificates from the new Apple certificate file.

1. Copy the new .p12 file that you downloaded from Apple to combined.p12 (or just rename it, or use the name you have already instead of combined.p12).

2. Export the combined certificates to a new .pem file using the command:
openssl pkcs12 -in combined.p12 -out combined.pem -nodes
You will be asked for the import password.

3. The combined.pem file has two certificates of interest:
friendlyName: Apple Push Services: (your package name). This is the production certificate.
friendlyName: Apple Development IOS Push Services: (your package name). This is the development certificate.

4. To build a production certificate file, copy combined.pem to production.pem. You will delete the development certificate from this file to leave only the production certificate. Edit production.pem using a text editor.

Search through production.pem to find the development certificate (which has the friendlyName: Apple Development IOS Push Services). Delete everything from the “Bag Attributes” line immediately above the development certificate down to the first “—–END CERTIFICATE—–” line after that. Save the file.

5. To build a development certificate file, copy combined.pem to development.pem. You will delete the production certificate from this file to leave only the development certificate. Edit development.pem using a text editor.

Search through development.pem to find the production certificate (which has the friendlyName: Apple Push Services). Delete everything from the “Bag Attributes” line immediately above the production certificate down to the first “—–END CERTIFICATE—–” line after that. Save the file.

6. You now have both a production.pem and a development.pem. Use them to build .p12 files for your certificates:
openssl pkcs12 -export -in production.pem -inkey production.pem -out production.p12
openssl pkcs12 -export -in development.pem -inkey development.pem -out development.p12
You will be asked to define export passwords when you do this. Remember these! You will need them to upload the .p12 to the server.

You can now upload the production.p12 file to an APNS production app key, and the development.p12 to an APNS development app key.

Note that existing certificates will continue to work; it’s only when you upload the new format .p12 that problems occur. If your certificates don’t expire for a while, you can wait until our developers resolve the issue and will not have to go through this process.

Join The Discussion

Your email address will not be published. Required fields are marked *