Generating APNs certificate

To obtain a push certificate from Apple, complete these steps:

About this task

  1. Create CSR Request: In the command-line interface on a Linux server, run the following command to create a CSR for the push certificate using the openssl tool:
    openssl req -newkey rsa:2048 -nodes -keyout <PUSHCERTNAME>_temp.key -out <PUSHCERTNAME>.csr -subj "/C=US/CN=<HOSTNAME>/emailAddress=<EMAILADDRESS>"
    Note:
    • Replace <PUSHCERTNAME> with a name of your choice.
    • <EMAILADDRESS> must be unique to your organization and is for reference purposes only. This email address forms part of the certificate subject line and could be used in future by Apple to contact whoever will be considered the administrative contact for the push certificate. It is recommended to use this email address of the Apple ID in the subsequent certificate creation step.
    • <HOSTNAME> must be the internally accessible Fully Qualified Domain Name (FQDN) of the server hosting MDM services. This parameter stores the internal FQDN target which the webUI and MDM Plugins use to connect to the MDM server.
      Important: This internal FQDN should not be accessible on port 8443 from the network in which Apple devices will enroll to MCM.
  2. Encrypt APNs private key: Run the following command to encrypt the private key:

    When using RHEL8:

    openssl rsa -des3 -in <PUSHCERTNAME>_temp.key -out <PUSHCERTNAME>.key
    When using RHEL9
    openssl rsa -des3 -in <PUSHCERTNAME>_temp.key -out <PUSHCERTNAME>.key
    Enter the encrypted private key pass phrase of your choice when prompted. You will then be asked to verify it.
    Important:
    • Save and securely store the generated <PUSHCERTNAME>.csr and <PUSHCERTNAME>.key files along with the private key pass phrase. These files are necessary for the following purposes:
      • Installing the Apple MDM Server (using the encrypted key).
      • Subsequent renewals of the push certificate.

        Before uploading the TLS key for MDM server installation, you must decrypt the encrypted file.

    • Apple push certificates have a one-year lifetime. The WebUI Modern Client Management dashboard notifies the WebUI user if certificates are nearing expiry. You need to Renew APNs certificate and update Apple MDM service annually when it gets close to expiry, and not create a brand new one, otherwise any enrolled devices will be orphaned.
  3. Request CSR signatures: Send the CSR file to BFAppleCSR@hcl.com.

    Important: Include your HCL Customer ID or BigFix server serial number in the body of the email. This is necessary to authorize the request and validate entitlement to MCM or BigFix Mobile.
    An HCL-signed version of the CSR file, plus additional instructions from BFAppleCSR@hcl.com will be returned to the sender’s email address within one business day. Follow the instructions in that email to obtain the required file through your Apple Developer account.
  4. Generate the Push Certificate
    1. Log in to the Apple Push Certificates Portal using your Apple ID and click Create a Certificate.
    2. Upload the HCL-signed version of the CSR file obtain a provider certificate from Apple.
    3. Download the push certificate (.pem).
    4. Save the push certificate at a safe location.

      You will need to supply this push certificate, and the associated private key and passphrase when you install the Apple MDM Server.