How Apple Push Certificates Work and Why Their Notification Service Matters

What Are Push Notifications?

APNs, or Apple Push Notification Service, is a an operating system notification service that delivers notifications to iOS devices. In order to securely send notifications through APNs, you’ll need an Apple Push Certificate among other requirements. Without configuring and registering with an operating system push notification service like Apple Push Notifications Service, your app would be unable to send notifications to iOS users. The Apple Push Notifications Certificate is a necessary element in the process of sending notifications to your users through APNs.

APNs came onto the scene with the iOS 3.0 in June of 2009. With this release, iOS pioneer Scott Forstall highlighted that push notification technology was a better alternative to pull technology, which uses background processes that more quickly drain a phone’s battery.

APNs later launched API support for local applications with Mac OS X 10.7 “Lion” i n 2012. Support for web notifications launched in 2013 with Mac OS X 10.9 “Mavericks.”

How Do They Work?

Before you can start blasting off push notifications to your users, you’ll need to get your app configured and registered with a push notification service. Each mobile app platform, such as iOS and Android, has its own OSPNS, or operating system push notification service, that developers can use to deliver push notifications.

Registering with an operating system’s push notification service allows you, the app publisher, to access the OSPNS API. This API provides a way for the app to communicate with the service. The app publisher then adds the push provider SDK to the app and then uploads the app to the app store. When users subscribe to push through the provider’s SDK, they are added as a subscribed device.

Understanding Apple’s Push Certificate and APNs

So how exactly is an Apple Push Certificate involved in the sending of notifications through APNs? Let’s start from the top.

Sending notifications through APNs involves both a device token and an Apple Push Notification Certificate. A device token is is a unique identifier for the device that is receiving the notification. iOS requests the device token from APNs, which is then passed to your app. After this, you must pass the device token back to APNs from your server. This serves both to identify the device you're sending notifications to and also to prove to APNs that you have permission to notify the device in question.

Here’s where the APNs certificate comes in. In addition to the device token, you’ll need this Apple Push Certificate in order to securely communicate with APNs. Public and private key encryption lets two devices to communicate with one another. In this instance, in order for your server to talk to APNs, you’ll need your own private key and APNs’s public key. These two keys are combined with additional information in what’s called a p12 file, otherwise known as the the Apple Push Notification Certificate, in order to send notifications with a third party tool like GCM.

Why It Is Important

So why is this p12 or Apple Push Certificate so important? It’s a critical part of the secure sending of notifications through APNs. Without this certificate, your app would be unable to send notifications to users. You need an APNs certificate, containing your private key and APNs’s public key, in order to securely communicate to the APNs.

When you send a notification, you’ll send data including  your message, badge count, and other associated information along with the device token. After the notification is delivered to APNs, Apple performs verification on the token.

Once Apple verifies the device token, APNs schedules the notification delivery.

How to Enable Them

To establish a certificate-based connection to APNs, you’ll need to install a certificate on your provider server, which you’ll get from Apple through your developer account.

Provider certificates allow you to send notifications to a single app. In order to send notifications to more than one app, you’ll need to create distinct certificates for each app and manage separate connections to APNs. Using token-based authentication is generally a better choice if you’re managing multiple apps.

Here’s how you can get a  provider certificate from Apple… You’ll obtain the certificate in the certificates section of your Apple developer account. Under “Certificates Identifiers, and Profiles,” you’ll select certificates and do the following:

1. Add new certificate
2. Choose Apple Push Notification service SSL for the type and hit Continue
3. Choose your app’s App ID, or Bundle ID, and then hit continue.
4. Create a Certificate Signing Request, or CSR, on your server and hit Continue
5. Upload the CSR file
6. Hit Continue and then download your certificate

As you create new provider certificates for different apps, you’ll associate each new certificate with the corresponding app ID’s. with  Each certificate must also be associated with a CSR, the private key used to encrypt the certificate. As we discussed, the certificate serves as a public key used to talk to APNs.

After you’ve created the certificate, you’ll need to install the certificate and private key on your provider server.

As you open a connection to the APNs server, the following steps occur:

1. A secure connection is requested using transport layer security, or TLS.
2. APNs then talks back by sending a certificate for the provider server to validate
3. After this certificate is validated, you must communicate back to APNs with by sending your provider server back to APNs, which establishes the connection we’ve been talking about.
4. Now the floodgates are open and you can send push notification requests to APNs.

Can You Renew or Deactivate a Certificate?

So when is it necessary renew a certificate?  It’s important to note that your Apple Push Certificate is only valid for a year at a time. Keep in mind that every year, you’ll need to renew your certificate using the same Apple ID you used to create the original certificate.

What about deactivating a certificate? You’ll want to revoke your Apple Push Certificate if you think the certificate or private key has been compromised. You can do so from your Apple Developer Account. Doing so places your certificate on APNs’s list of revoked certificates, which makes it impossible for your server to establish a TLS connection. Revoking the certificate effectively closes the connection between your server and APNs, so if you intend on reestablishing communication, you’ll need to configure a new provider certificate accordingly and redo the process we’ve outlined above.

Learn More With OneSignal

Are you interested in learning more about push notification services in general and how they work?

Apple isn’t the only platform that provides a push notification service.

Every mobile app platform has its own push notification service, that developers can use to deliver push notifications. There are several key differences in how push notifications work in Android vs. iOS operating systems. Learn more at the link below.