Generating pem certificates

To register an iOS client on Boxcar Push Service, you need to provide Apple push certificates for development and production version.

APNS push credentials are passed to Boxcar console as a passwordless PEM file containing both the private key and the certificate.

Generating certificate from scratch

If you are generating certificates from scratch, you can directly use Boxcar Console wizard to generate a valid .pem, without even having to rely on Apple Keychain.

The resulting certificate can be used directly by Boxcar console. You can still download it for backup if you want.

Converting p12 certificate from Apple Keychain to PEM

If you have already a private key and certificate generated with Apple Keychain, you will need to convert it. Apple keychain generate P12 file format.

Follow Apple documentation, you can find on Creating a Universal Push Notification Client SSL Certificate. This will allow you to export a .p12 file from Apple Keychain (without password).

Then, this section explains how to properly generate a PEM file that you can upload on your iOS client application configuration.

Here are the commands to convert Apple Certificate to certificate usable by push module:

  1. Export your certificate and private key from OSX keychain. We assume in the next step that the exported file is named aps_developer_identity_cert.p12

  2. Convert certificate and private key from p12 to PEM format with openssl:

    1
    2
    openssl pkcs12 -clcerts -nokeys -out aps_developer_identity_cert.pem -in aps_developer_identity_cert.p12
    openssl pkcs12 -nocerts -out aps_developer_identity.pem -in aps_developer_identity_cert.p12
    
  3. Remove encryption password:

    1
    openssl rsa -in aps_developer_identity.pem -out aps_developer_identity_key.pem
    
  4. Combine pem certificate and key into a single file:

    1
    cat aps_developer_identity_cert.pem aps_developer_identity_key.pem > apd.pem
    

You have to do that once for development certificate and once for production certificate.

Sandbox 1 and production passwordless certificates .pem can be then uploaded on Boxcar Push Service.

Checking the certificate

Checking validity

Certificate can be checked from command-line. It should ends with Verify return code: 21 (unable to verify the first certificate, which means certificate is accepted by the server.

The following command should test developer push certificate against the push sandbox:

1
openssl s_client -connect gateway.sandbox.push.apple.com:2195 -cert ./apd.pem

Alternatively, you can check your production certificate against the production push service:

1
openssl s_client -connect gateway.push.apple.com:2195 -cert ./app.pem

Checking expiration date

To check expiration date, the following command can be used:

1
openssl x509 -noout -in apd.pem  -enddate
  1. Sandbox is for “development” mode. You use it for applications uploaded to your device directly from XCode.