Certificate

Generating OpenSSL-based self-signed certificate

Certificate generation was tested on Linux OS.

Most Linux deployments have the OpenSSL package installed.

Checking OpenSSL Version

You can check the version by selecting one of the two commands.

$ rpm -qa openssl 
$ openssl version

Private Key Generation

A private key is generated by setting the password after entering the command.

$ openssl genrsa -des3 -out xpush.key 2048

When entering the command, it will ask for the password as shown below.

$ keytool -importkeystore -destkeystore APNs-Certificates.jks
                           -srckeystore APNs-Certificates.p12 -srcstoretype PKCS12

Certificate Request Generation

A certificate request is required to apply for a certificate.

$ openssl req -new -key xpush.key -out xpush.csr

Specify the name of the certificate request, enter the command, then you will be asked for a password. After specifying the password, enter additional information.

Do not enter additional attribute information and press Enter twice to generate a certificate request.

Private Key Password Removal and Certificate Generation

If the key contains a password, it is recommended to remove the private key password and generate a certificate as it may ask for the password continuously when setting it on the web server.

$ cp xpush.key xpush.key.origin 
$ openssl rsa -in xpush.key.origin -out xpush.key

xpush.key.origin의 패스워드를 입력하면, 패스워드가 제거된 개인키가 생성됩니다.

crt certificate can be generated through the private key xpush.key file and certificate request xpush.csr.

$ openssl x509 -req -days 365 -in xpush.csr -signkey xpush.key -out xpush.crt

xpush.key.origin의 패스워드를 입력하면, 패스워드가 제거된 개인키가 생성됩니다.

The certificate format can be changed through the .crt file and it can be converted to extension files such as jks, pem, pcks, etc.

X-PUSH server supports encrypted communication with clients and SSL protocol can be used by setting Certificate Service through jks file.

JKS Certificate File Generation

You can generate a .jks certificate file with the command below.

$ keytool -genkey -v -keystore xpush.jks -alias server_private -keyalg RSA -sigalg MD5withRSA -keysize 1024 -validity 365

명령어 입력 후, 패스워드와 인증서 정보를 입력합니다.

Converting PKCS12 file to JKS format

When sending Notification to APNs from JDK 1.7 or higher, an SSL related error may occur or InvalidToken error code may be received from APNs. This can be solved by converting the APNs certificate file from PKCS12 format to JKS format.

APNs certificate file can be converted using the keytool included in the JDK and the keytool is located in the bin directory of the path where JDK is installed.

The example below shows an example command to convert the APNs-Certificates.p12 file to the APNs-Certificates.jks file using the keytool.

$ keytool -importkeystore -destkeystore APNs-Certificates.jks
                           -srckeystore APNs-Certificates.p12 -srcstoretype PKCS12

When entering the command, it will ask for the password as shown below.

Enter destination keystore password:
Re-enter new password:
Enter source keystore password:

Generate the certificate by entering the password of the JKS format certificate to be created, reentering the password, and entering the original certificate password of PKCS12 format in order.

The figure below shows an example of converting APNs-Certificates.p12 file to APNs-Certificates.jks file using the keytool.

keytool을 사용하여 PKCS12 형식을 JKS 형식으로 변환

Set the converted JKS format certificate as follows.
Change the KeystoreType item to JKS to match the certificate format.
<service name="ApnsNotifierService" ... >
	...
	<attribute name="KeystorePath">conf/APNs-Certificates.jks</attribute>
	<attribute name="KeystorePassword">xpush</attribute>
	<attribute name="KeystoreType">JKS</attribute>
	<attribute name="production">false</attribute>
	<attribute name="badge">true</attribute>
	<attribute name="retries">3</attribute>
	...
</service>

Generating APNS Certificate

Accessing Apple Developer Center

1

Access Apple Developer Center developer.apple.com

Select the Account menu to log in

00-dev-apple-00-select-accn-menu

2

Enter your account and log in

00-dev-apple-01-log-in

3

Select Certificates, IDs & Profiles to move to the certificate management screen

00-dev-apple-02-select-cert-menu

Generating Certificate

1

Select the plus (+) button at the top right of the screen to start generating a certificate.

01-gen-cert-01-new-cert

2

Select a certificate type for development (Sandbox) or development/operation (Sandbox & Production).

01-gen-cert-02-select-cert-type

3

Select the App ID of the certificate to be generated.

01-gen-cert-03-select-app-id

4

Request to generate a CSR file.

01-gen-cert-04-create-csr

Generating CSR (Certificate Request)

1

Keychain Access – Certificate Assistant – Request a certificate from a certificate authority

02-gen-csr-01-req-cert

02-gen-csr-02-sav-disk

02-gen-csr-03-naming-csr

The certificate request must be generated for each app. For example, if you use the certificate request for APP1 and APP2 together, you will receive push notifications in the same app.

2

Upload the generated csr file

Certificate generation completed

01-gen-cert-05-upload-csr

03-gen-cert-01-cert-ready

03-gen-cert-02-complete

Exporting APNS Certificate in .p12 Format

04-export-p12-02-export-with-prv-key

04-export-p12-03-sav-p12

04-export-p12-04-set-passwd

Converting PKCS12 file to JKS format

Renewing APNS Certificate

When the APNS certificate expires, the certificate must be renewed. Certificate renewal is a form of discarding the existing certificate and generating a new one.

Before renewing the APNS certificate, the CSR file must be generated separately for each certificate.

Even if you use the renewed certificate for the X-PUSH server, you may not be able to receive the push notification if the certificate set in the client app is also expired.

인증서 revoke

Perform Generating APNS Certificate in the same way