Organization Certificates

Introduction #

In order to work with the Apple APNS service, which is responsible for push notifications and submitting profiles to enrolled Apple devices, Relution requires a signed MDM push certificate.

Relution ships working certificates by default. These certificates, if they are the default ones, are automatically updated when you update Relution.

If the certificates have expired, you will not be able to manage the Apple devices until they are renewed.

Create your own MDM push certificate. #

To obtain this certificate from the Apple Push Certificates portal, you need to follow the steps described in the following section.

You will need a private RSA key that will be used to create a CSR (Certificate Signing Request) and later to sign the MDM messages you send. You should use this private key only for this purpose and ensure that it and the associated passphrase are stored in a secure location.

If you don’t already have a key that you want to use, you can generate a new key in your console using the following command via OpenSSL:

$ openssl genrsa -des3 -out customerPrivateKey.pem 2048

Where customerPrivateKey.pem is the private key you want to use. During the process you will be asked for the passphrase.
Now you have to send the CSR to Relution via our helpdesk. Relution will then sign the CSR so that Relution can send MDM pushes.

You will receive a .plist_encoded or .relution file that needs to be uploaded to the Apple Push Certificates portal → (you will need an Apple ID for this). After uploading the file to the portal, you can download the MDM push certificate you created.

With the certificate, your private key that was used to create the CSR, and the passphrase, you can create the .p12 file that Relution requires. You can use the following openSSL command to create the required .p12 file.

$ openssl pkcs12 -export -out newKeystore.p12
    -inkey myPrivateKey.pem -in myCertFromApple.pem

Afterwards you can upload the certificate in Relution under Settings > Organization Certificates.

Update your own MDM push certificate #

As mentioned earlier, MDM push certificates need to be renewed regularly as they are only valid for 365 days. If you do not renew the certificate before it expires or revoke it, you will need to create a new certificate.

To renew your MDM push certificate, you need to follow roughly the same steps as creating a new certificate.

To create a CSR (Certificate Signing Request) based on your private key, use OpenSSL. You can create the CSR using the following command:

$ openssl req -new -key customerPrivateKey.pem -out customer.csr

Where customerPrivateKey.pem is the private key you want to use. During the process you will be asked for the passphrase.
Now you have to send the CSR to Relution via our helpdesk. Relution will then sign the CSR so that Relution can send MDM pushes.

You will receive a .plist_encoded or .relution file that needs to be uploaded to the Apple Push Certificates portal → by selecting the Renew the old certificate option. It is recommended to download and backup the old certificate beforehand.

After uploading the file to the portal, you can download the renewed MDM push certificate.

With the certificate, your private key that was used to create the CSR, and the passphrase, you can create the .p12 file that Relution needs. You can use the following openSSL command to create the required .p12 file.

$ openssl pkcs12 -export -out newKeystore.p12
    -inkey myPrivateKey.pem -in myCertFromApple.pem

Afterwards the certificate can be uploaded in Relution under Settings > Organization Certificates.