The following content is a brief and unofficial prerequisites guide to creating and renewing an Apple APNS certificate prior to deploying in a PoC, Pilot or Production environment by the author of this entry. The views, opinions and concepts expressed are those by the author of this entry only and do not necessary conform to industry descriptions or best practises.
Shortened Names
XENMOBILE – xm
XENMOBILE SERVER – xms
VIRTUAL APPLIANCE – v/a
NETSCALER GATEWAY – nsg
INTERNET INFORMATION SERVICES – iis
CERTIFICATE AUTHORITY – ca
APPLE PUSH NOTIFICATION SERVICE – apns
CERTIFICATE SERVICE REQUEST – csr
What is an Apple Push Notification service (APNs)Certificate and how does it work?
APNs certificates allow and enable for the safe, secure propagation of information/notifications to iOS and OS X devices with source of information/notifications originating from a XenMobile Server with a trusted and signed APNs certificate by Apple and Citrix. In this particular overview I am referring to MDM/Mobility vendor’s e.g Citrix, Airwatch by VMware, MobileIron etc.
APNs certificates allows any end-user to enroll his/her iOS device (iPhone, iPad) weather it be corporate or personally owned (BYO) against a XenMobile Server in order to obtain organisation specific configurations e.g Wi-Fi configurations and of course security leading best practise policies e.g the users PIN must be alphanumeric, 6 characters in length and must be changed once every 90 days to meet organisation password policy guidelines etc.
I wont attempt to explain how APNs certificates work technically I do understand it but I believe Apple’s documentation is simple very clear to understanding and provides a great overview of how APNS works and functions so please visit the following links – https://developer.apple.com/library/ios/documentation/NetworkingInternet/Conceptual/RemoteNotificationsPG/Chapters/ApplePushService.html#//apple_ref/doc/uid/TP40008194-CH100-SW9.
Creating and renewing an APNS Certificate with IIS (SuGgEsTeD for PoC Environments + Draft)
0: You will require a valid Citrix partner account to access your Citix My Account – http://www.citrix.com/account.html and you will require a valid Apple ID to login into the APNs Portal to complete your APNs signing request and for on-going APNs maintenance i.e. renewing, revoking your APNs certs. If you do not have a valid Apple ID you can create one at the following link – https://appleid.apple.com/cgi-bin/WebObjects/MyAppleId.woa/wa/createAppleId.
1: Prior to creating your APNs cert you should consider the following which is will your customers PoC ever move to a pilot or event to production? If it may then you/they should carefully consider exactly where you will generate your Certificate Signing Request (CSR) for your APNs certificate to be used with the XenMobile.
2: Open up IIS on your chosen Windows Server and click Server Certificates and select “Create Certificate Request” and enter in the following information when requested into the “Distinguished Name Properties” pop-up window which appears and once completed click next and on the “Cryptographic Service Provider Properties” window select the “Microsoft RSA SChannel Cryptographic Provider” from the Cryptographic service provider and the Bit length of”2048″ from the dropdown lists. Then save the CSR on your desktop providing it with a name e.g XM_APNS-CSR.txt
IIS Request | Your Response |
Common Name | e.g myMDM-for-xm-anps.axendatacentre.com |
Organization | |
Organizational Unit | |
City/locality | |
State/province | |
Country/region |
3: Next navigate to https://xenmobiletools.citrix.com/ from the IIS Windows server that you generated this XenMobile APNs CSR from and sign-in with your Citrix partner access details.
4: Upload your CSR as described on-screen at https://xenmobiletools.citrix.com/ which then return a *.plist file to download (Save it).
5: Next navigate to Apple’s Push Certificates Portal at – https://identity.apple.com/pushcert/ and login with your Apple ID. Next click “Create a Certificate” and upload your *.plist file that you downloaded from the XenMobile Tools portal as per step 4 above where instructed following the on-screen instructions. It will then prompt you to download a *.pem file ignore the filename e.g MDM_Zenprise.pem.
6: Import the *.pem file from the download APNs portal from step 5 above into IIS using the complete a CSR response and specific a friendly name (use the same common name you specified in step 2 above. Optionalif your cert import fails the be sure to import Apples intermediate and root certificates from – http://www.apple.com/certificateauthority/ and repeat the import process once more. Also check out – http://support.apple.com/kb/ht5012 entitled “Lists of available trusted root certificates in iOS” for further help & guidance.
7: Export the imported APNs certificate via IIS and specify the path to save the cert which will be in *.pfx format and also specific a strong password to protect your APNs cert and finally note to self DO NOT FORGET the password.
8: When prompted during the XMS Admin WebUI configuration post completing the XMS CLI setup, follow the below import process in table format.
Import | Keystore |
Keystore Type | PKCS #12 |
Use as | APNs |
Keystore file | The path to your completed XM APNs cert which will be in *.pfx |
Password | The password you typed in at step 7 above |
Creating and renewing an APNS Certificate with NetScaler (SuGgEsTeD + Draft)
Coming soon…