Renew APNS Certificates

It's important that you renew Apple Push Notification (APNS) certificates in a timely manner; once an APNS certificate expires, you can't send commands to currently-enrolled devices, and new devices can't enroll. To reduce the likelihood of a certificate expiring, Okta:

  • Exposes the certificate expiration date when you first create the certificate.
  • Sends you an email notification 30 days, then 7 days, before expiration.
  • Adds an error icon to the Apple Certificate Setup button on the Mobile Policy page when the certificate is within 30 days of expiration.

It's not possible to overwrite an existing certificate in Okta – don't worry about accidentally renewing the wrong certificate. However, you can avoid the hassle of reloading the same certificate by carefully following the instructions below.

APNS certificates expire after one year. If you need to renew your certificate you need to first download a new Certificate Signing Request (CSR) from Okta, as follows:

  1. In the Admin Console, go to OMM > OMM Policies.
  2. Click Apple Certificate Setup.

    Note that a green check box on the Apple Certificate Setup button indicates that a push certificate has already been configured, while a red exclamation point indicates the configured certificate has either expired or is close to expiring.

    The Apple Certificate Setup dialog appears:

    User-added image

    Note that step 2 on this screen displays information (highlighted in yellow, above) about your current APNS certificate, expired or not. Use this information to identify the certificate in the portal that you want to renew.

  3. Click Download to obtain your Certificate Signing Request (okta-apns-CSR.dat) from Okta.

  4. Navigate to the Apple Push Certificates Portal, here: https://identity.apple.com/pushcert/ (your Apple ID is required to log into this portal).

  5. Locate the certificate that has expired/is expiring, and click Renew.

    You can click the information (i) icon to view information about each certificate. Use this information to compare your certificates.

  6. Click Choose File, then navigate to the CSR file you previously downloaded for Apple to sign (okta-apns-CSR.dat), then click Upload.

    User-added image

    Once the request has been successfully uploaded a confirmation screen is displayed:

    User-added image

  7. Click Download on the confirmation screen.

  8. Return to the Apple Certificate Setup dialog box in Okta, in the Upload Apple Push Certificate section, click Browse to locate the renewed APNS that was just downloaded, then click Upload to complete the process.