APNs certificates 编辑

To enroll and manage Apple devices in Endpoint Management, you set up an Apple Push Notification service (APNs) certificate from Apple. The certificate enables mobile device management through the Apple Push Network.

Workflow summary:

Step 1: Create a Certificate Signing Request (CSR) through any of these methods:

• Create a CSR by using Keychain Access on macOS (recommended by Citrix)
• Create a CSR by using Microsoft IIS
• Create a CSR by using OpenSSL

Step 2: Sign the CSR in Endpoint Management Tools

Step 3: Submit the signed CSR to Apple to obtain the APNs certificate

Step 4: Using the same computer used for Step 1, Complete the CSR and export a PKCS #12 file:

• Create a PKCS #12 file by using Keychain Access on macOS
• Create a PKCS #12 file by using Microsoft IIS
• Create a PKCS #12 file by using OpenSSL

Step 5: Import an APNs certificate into Endpoint Management

Step 6: Renew an APNs certificate

Create a Certificate Signing Request

We recommend that you create a CSR by using Keychain Access on macOS. You can also create a CSR by using Microsoft IIS or OpenSSL.

Important:

• For the Apple ID used to create the certificate:
  • The Apple ID must be a corporate ID and not a personal ID.
  • Record the Apple ID that you use to create the certificate.
  • To renew your certificate, use the same organization name and Apple ID. Using a different Apple ID to renew the certificate require device re-enrollment.

• If you accidentally or intentionally revoke the certificate, you lose the ability to manage your devices.

• If you used the iOS Developer Enterprise Program to create a mobile device manager push certificate: Be sure to handle any actions for the migrated certificates in the Apple Push Certificates Portal.

Create a CSR by using Keychain Access on macOS

1. On a computer running macOS, under Applications > Utilities, start the Keychain Access app.
2. Open the Keychain Access menu and then click Certificate Assistant > Request a Certificate From a Certificate Authority.
3. The Certificate Assistant prompts you to enter the following information:
   • Email Address: Email address of the individual or role account who manages the certificate.
   • Common Name: Common name of the individual or a role account who manages the certificate.
   • CA Email Address: Email address of the Certificate Authority.
4. Select the Saved to disk and Let me specify key pair information options and then click Continue.
5. Enter a name for the CSR file, save the file on your computer, and then click Save.
6. Specify the key pair information: Select the Key Size of 2048 bits and the RSA algorithm and then click Continue. The CSR file is ready for you to upload as part of the APNs certificate process.
7. Click Done when the Certificate Assistant completes the CSR process.
8. To continue, Sign the CSR.

Create a CSR by using Microsoft IIS

The first step for generating an APNs certificate request is to create a Certificate Signing Request (CSR). For Windows, generate a CSR by using Microsoft IIS.

1. Open Microsoft IIS.
2. Double-click the Server Certificates icon for IIS.
3. In the Server Certificates window, click Create Certificate Request.
4. Type the appropriate Distinguished Name (DN) information. For example, you can type the fully qualified domain name (FQDN) of your Endpoint Management server, such as www.domain.com. Then click Next.
5. Select Microsoft RSA SChannel Cryptographic Provider for the Cryptographic Service Provider and 2048 for bit length and then click Next.
6. Enter a file name and specify a location to save the CSR and then click Finish.
7. To continue, Sign the CSR.

Create a CSR by using OpenSSL

If you can’t use a macOS device or Microsoft IIS to generate a CSR, use OpenSSL. You can download and install OpenSSL from the OpenSSL website.

1. On the computer where you install OpenSSL, run the following command from a command prompt or shell.

   openssl req -new -keyout Customer.key.pem –out CompanyAPNScertificate.csr -newkey rsa:2048

2. The following message for certificate naming information appears. Enter the information as requested.

   You are about to be asked to enter information that will be incorporated into your certificate request.
   What you are about to enter is what is called a Distinguished Name or a DN.
   There are quite a few fields but you can leave some blank
   For some fields there will be a default value,
   If you enter '.', the field will be left blank.
   -----
   Country Name (2 letter code) [AU]:US
   State or Province Name (full name) [Some-State]:CA
   Locality Name (eg, city) []:RWC
   Organization Name (eg, company) [Internet Widgits Pty Ltd]:Customer
   Organizational Unit Name (eg, section) [:Marketing
   Common Name (eg, YOUR name) []:John Doe
   Email Address []:john.doe@customer.com
   <!--NeedCopy-->