How to create an Apple certificate for a website

Create a Website Push ID

This is done via the Apple developer centre. In this example, we'll use the data for the www.acmewidgets.com site. Since this is hosted on www.acmewidgets.com, we give it the Website Push ID web.com.acmewidgets.www.

Prepare a Private Key

In order to generate a certificate, you need access to a private key. Good practice is to generate one, and then use it for all certificates. You key must be protected with a passphrase, and you must securely communicate that passphrase to Mobify so that the push notification system can use your key. Generating a key can be done using the openssl tool on macOS and most Unix-based systems, or from Keychain on macOS).

When Keychain exports a key, it saves a .p12 file. To convert that to the PEM (text) format that is used for all keys and certificates in the push notification system:

openssl pkcs12 -in my_private_key.p12 -out my_private_key.pem

Generate a Certificate

To avoid confusion, we recommend you base the name of the certificate file on the website push id. In this example, web.com.acmewidgets.www (the extra dots in the name don't matter).

By default, Apple's Keychain generates a new keypair for every certificate request. To re-use a specific private key key, use openssl to generate the request. Note that the certificate request file (.csr) is named the same way as the Website Push ID, so that it's easier to keep track of which files belong together:

openssl req -new -key my_private_key.pem -out web.com.acmewidgets.www.csr

Enter the passphrase for the private key when prompted. The openssl command will prompt you for a whole number of fields. Here are examples of the responses that we provide at Mobify. You should modify them to represent your organization. Note that the Common Name is the Website Push ID.

Country Name (2 letter code) [AU]:CA
State or Province Name (full name) [Some-State]:British Columbia
Locality Name (eg, city) []:Vancouver
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Mobify
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:web.com.acmewidgets.www
Email Address []:benlast@acmewidgets.com

Leave the 'extra' attributes blank.

The result is a .csr (certificate request) file. Use this on the Apple Developer site to create a Website Push ID Certificate (there are several types of certificate; be careful to choose the correct one).

When prompted for the Website Push ID, enter the same one that was created above; for this example, web.com.acmewidgets.www. Upload the csr file, and then download the generated certificate (a .cer file). We recommend that you use the same certificate name as used for the .csr, for example web.com.acmewidgets.www.cer. You will need to rename the downloaded file.

At this point you have a certificate file in DER format. For the push notification system, it must be converted to PEM format with openssl: openssl x509 -inform DER -in web.com.acmewidgets.www.cer -outform PEM -out web.com.acmewidgets.www.pem

The resulting PEM file should be stored in the custom files area for the site.

How to create an Apple certificate for app (native) push

The steps up to and including generating the certificate request are the same as for a web push certificate, but:

  1. When creating the certificate request (CSR file), the Common Name you enter is what Apple use to name the resulting certificate in the full list of certificates on their website, so we recommend you add 'native push' to make it clearer what the certificate is for.

  2. You can create a single 'universal' certificate, which Apple describe as 'Apple Push Notification service SSL Certificate (Sandbox & Production)' rather than separate production and sandbox app push certificates.

Our recommended practice is to base the app certificate file names on the App ID, not the website push id.