How to create an Apple certificate for a website
Create a Website Push ID
This is done via the Apple developer centre. In this example,
we'll use the data for the www.acmewidgets.com
site. Since this is hosted on
www.acmewidgets.com
, we give it the
Website Push ID web.com.acmewidgets.www
.
Prepare a Private Key
In order to generate a certificate, you need access to a private key. Good
practice is to generate one, and then use it for all certificates. You key
must be protected with a passphrase, and you must securely communicate
that passphrase to Mobify so that the push notification system can use
your key. Generating a key can be done using the openssl
tool on macOS
and most Unix-based systems, or from Keychain
on macOS).
When Keychain exports a key, it saves a .p12
file. To convert that to the
PEM (text) format that is used for all keys and certificates in the push
notification system:
openssl pkcs12 -in my_private_key.p12 -out my_private_key.pem
Generate a Certificate
To avoid confusion, we recommend you base the name of the certificate file
on the website push id. In this example, web.com.acmewidgets.www
(the extra dots in the name don't matter).
By default, Apple's Keychain
generates a new keypair for every certificate
request. To re-use a specific private key key, use openssl to generate the
request. Note that the certificate request file (.csr
) is named the same
way as the Website Push ID, so that it's easier to keep track of which files
belong together:
openssl req -new -key my_private_key.pem -out web.com.acmewidgets.www.csr
Enter the passphrase for the private key when prompted. The openssl
command
will prompt you for a whole number of fields. Here are examples of
the responses that we provide at Mobify. You should modify them to represent
your organization. Note that the Common Name
is the Website Push ID.
Country Name (2 letter code) [AU]:CA State or Province Name (full name) [Some-State]:British Columbia Locality Name (eg, city) []:Vancouver Organization Name (eg, company) [Internet Widgits Pty Ltd]:Mobify Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []:web.com.acmewidgets.www Email Address []:benlast@acmewidgets.com
Leave the 'extra' attributes blank.
The result is a .csr
(certificate request) file. Use this on the Apple
Developer site to create a Website Push ID Certificate (there are several
types of certificate; be careful to choose the correct one).
When prompted for the Website Push ID, enter the same one that
was created above; for this example, web.com.acmewidgets.www
.
Upload the csr file, and then download the generated certificate (a .cer
file).
We recommend that you use the same certificate name as used for the .csr
, for
example web.com.acmewidgets.www.cer
. You will need to rename the downloaded file.
At this point you have a certificate file in DER format. For the push notification
system, it must be converted to PEM format with openssl:
openssl x509 -inform DER -in web.com.acmewidgets.www.cer -outform PEM -out web.com.acmewidgets.www.pem
The resulting PEM file should be stored in the custom files area for the site.
How to create an Apple certificate for app (native) push
The steps up to and including generating the certificate request are the same as for a web push certificate, but:
-
When creating the certificate request (CSR file), the Common Name you enter is what Apple use to name the resulting certificate in the full list of certificates on their website, so we recommend you add 'native push' to make it clearer what the certificate is for.
-
You can create a single 'universal' certificate, which Apple describe as 'Apple Push Notification service SSL Certificate (Sandbox & Production)' rather than separate production and sandbox app push certificates.
Our recommended practice is to base the app certificate file names on the App ID, not the website push id.