Push Certificates

To work with the Apple APNS service which is responsible for push notifications and profile submission to enrolled iOS devices M-Way Solutions needs a signed MDM Push Certificate. To obtain this certificate from the Apple Push Certificates Portal, you have to follow the steps described in the following section.

MDM Push Certificates are valid for 365 days and need to be renewed before they expire.

Creating new MDM Push Certificates

You need a RSA private key which will be used to generate a CSR (certificate signing request) and later to sign the MDM messages you send. You should only use this private key for this purpose and you should make sure that this key and the corresponding passphrase are backed up. If you do not already have a key you want to use, you can create a new one with the following command via OpenSSL tooling in your console:

$ openssl genrsa -des3 -out customerPrivateKey.pem 2048

You will be asked for the passphrase during the process.

To create a CSR (certificate signing request) based on your private key, please also use OpenSSL tooling. You can create the CSR with the following command:

$ openssl req -new -key customerPrivateKey.pem -out customer.csr

Where customerPrivateKey.pem is the private key you want to use. You will be asked for the passphrase during the process.

Now you need to send the CSR to M-Way Solutions via our helpdesk. M-Way Solutions will then sign the CSR to enable Relution to send MDM pushes.

You will receive a .plist_encoded or .relution file which can be uploaded to the Apple Push Certificates Portal (https://identity.apple.com/pushcert/ – you need an Apple ID). After uploading the file to the portal you can download the created MDM push certificate.

With the certificate, your private key used to generate the CSR and the passphrase you can create the .p12 file which Relution needs. You can use the following openSSL command to create the .p12 file which is needed.

$ openssl pkcs12 -export -out newKeystore.p12
    -inkey myPrivateKey.pem -in myCertFromApple.pem

After creating the file you can upload it to Relution under Settings > Organization > Certificates > Push certificate for MDM.

Renewing MDM Push Certificates

As stated before, MDM Push Certificates need to be renewed regularly because they are only valid for 365 days. If you do not renew the certificate before it expires or revoke it you need to create a new certificate and it will be necessary to re-enroll all devices. To renew your MDM Push Certificate you have to follow roughly the same steps as when creating a new certificate.

To create a CSR (certificate signing request) based on your private key, please use OpenSSL tooling. You can create the CSR with the following command:

$ openssl req -new -key customerPrivateKey.pem -out customer.csr

Where customerPrivateKey.pem is the private key you want to use. You should use the same private key you used when creating the certificate. You will be asked for the passphrase during the process.

Now you need to send the CSR to M-Way Solutions via our helpdesk. M-Way Solutions will then sign the CSR to enable Relution to send MDM pushes.

You will receive a .plist_encoded or .relution file which can be uploaded to the Apple Push Certificates Portal (https://identity.apple.com/pushcert/Important:_ You have to use the same Apple ID which was used to create the certificate) by selecting to Renew the old certificate. It is recommended to download and backup the old certificate before.

After uploading the file to the portal you can download the renewed MDM push certificate.

With the certificate, your private key used to generate the CSR and the passphrase you can create the .p12 file which Relution needs. You can use the following openSSL command to create the .p12 file which is needed.

$ openssl pkcs12 -export -out newKeystore.p12
      -inkey myPrivateKey.pem -in myCertFromApple.pem

After creating the file you can upload it to Relution under Settings > Organization > Certificates > Push certificate for MDM.