Organization Certificates

Introduction #

In order to work with the Apple APNS service, which is responsible for push notifications and submitting profiles to enrolled Apple devices, Relution requires a signed MDM push certificate.

Relution ships working certificates by default. These certificates, if they are the default ones, are automatically updated when you update Relution.

If the certificates have expired, it is not possible to manage the Apple devices until they are renewed.

Create your own MDM push certificate #

To obtain this certificate from the Apple Push Certificates portal, one needs to follow the steps described in the following section.

A private RSA key is needed to create a CSR (Certificate Signing Request) and later to sign the MDM messages one will send. This private key should be used only for this purpose and ensured that it and the associated passphrase are stored in a secure location.

If one doesn’t already have a key that should be used, one can generate a new key in the console using the following command via OpenSSL:

$ openssl genrsa -des3 -out customerPrivateKey.pem 2048

Where customerPrivateKey.pem is the private key that is wanted to be used. During the process, one will be asked for the passphrase.
Now, the CSR has to be sent to Relution via our helpdesk. Relution will then sign the CSR so that Relution can send MDM pushes.

You will receive a .plist_encoded or .relution file that needs to be uploaded to the Apple Push Certificates portal → (an Apple ID is needed for this). After uploading the file to the portal, one can download the MDM push certificate that was created.

With the certificate the private key that was used to create the CSR, and the passphrase, one can create the .p12 file that Relution requires. The following openSSL command can be used to create the required .p12 file.

$ openssl pkcs12 -export -out newKeystore.p12
    -inkey myPrivateKey.pem -in myCertFromApple.pem

Afterwards, one can upload the certificate in Relution under Settings > Organization Certificates.

Update your own MDM push certificate #

As mentioned earlier, MDM push certificates need to be renewed regularly as they are only valid for 365 days. If the certificate is not renewed before it expires or is revoked, a new certificate has to be created.

To renew the MDM push certificate, one needs to follow roughly the same steps as creating a new certificate.

To create a CSR (Certificate Signing Request) based on the private key, it is recommended to use OpenSSL. The CSR can be created while using the following command:

$ openssl req -new -key customerPrivateKey.pem -out customer.csr

Where customerPrivateKey.pem is the private key that should be used. During the process, one will be asked for the passphrase.
Now, the CSR has to be sent to Relution via our helpdesk. Relution will then sign the CSR so that Relution can send MDM pushes.

One will then receive a .plist_encoded or .relution file that needs to be uploaded to the Apple Push Certificates portal → by selecting the Renew the old certificate option. It is recommended to download and backup the old certificate beforehand.

After uploading the file to the portal, one can download the renewed MDM push certificate.

With the certificate, the private key that was used to create the CSR and the passphrase, one can create the .p12 file that Relution needs. The following openSSL command can be used to create the required .p12 file.

$ openssl pkcs12 -export -out newKeystore.p12
    -inkey myPrivateKey.pem -in myCertFromApple.pem

Afterwards, the certificate can be uploaded in Relution under Settings > Organization Certificates.