Hi @awaisfayyaz17.apple, you're quite welcome.
I was able to get detailed help from Apple as to what to do regarding the new vs. old root CAs. I'm sharing and hoping that you may find it useful.
If you are using a third party service to send push notifications, it is their responsibility to update their CAs. Therefore contact them to ensure a seamless transition. The rest of this post is for developers who maintain a backend server which directly communicates via HTTP/2 to Apple's APNS servers.
The GeoTrust Global CA
is currently being used by api.push.apple.com:443. This is indirect via the intermediary certificate Apple IST CA 2 - G1 which is authorized via the GeoTrust Global CA. The site certificate is then authorized via the intermediate Apple certificate. My mistake was not looking all the way up the certificate path to the root, and if I caused any confusion in my earlier posts, I apologize.
Regardless of where your server's trust store is located you must make sure that A) it's the one used by server app and B) it contains
both the GeoTrust Global CA
and the derived intermediary Apple IST CA 2 - G1 certificate. In my case we are using curl and passing a file which contains the root certificate and its intermediary Apple IST CA 2 - G1.
In my case, we were using curl with a default where if it could not authenticate the certificate chain of api.push.apple.com it would continue anyway. This was being treated as a warning and not an error, making us potentially susceptible to MITM attacks, as well as other issues in the future.
This is easily testable since Apple is currently using that certificate chain until March 29th. Note that api.push.apple.com, api.development.apple.com and api.sandbox.push.apple.com are all using the same certificate chain.
As for the new AAACertificateServices Root CA, if you're using a Mac OS X machine to send APNS payloads to Apple, you most likely already have it in your keychain. Still, you should verify it. if it's a Linux or Windows box, you should verify that it's in the trust store being used by your server app to send the APN payload. Keep in mind that although your server has a default trust store, your app may not be using it and may be using a file or some other certificate repository. You need to verify which certificate trust store is being used by your server.
When you go to the Sectigo web site (the url is in the Apple announcement as well as in the email send to you by Apple) to obtain the AAACertificateServices, you'll notice that there are 3 certificates:
AAACertificateServices 5/12/2020
UserTrustRAAAACA 5/12/2020
COMODORSAAAACA 5/12/2020
The first is the root CA certificate, the last 2 are CA certificates authorized via #1. I assume that they are intermediary certificate, so I grabbed those as well. I placed all 3 in the same trust store as the GeoTrust Global root CA and its intermediary Apple certificate.
Now here is the issue. I cannot test the new root CA until Apple makes the switch to it. Furthermore, if the new site certificate for api.push.apple.com is derived from any of the 3 certificates, then everything will work fine after March 29th.
However if Apple creates a new Apple intermediary certificate derived from any of those 3 and then has the site certificate authorized by this new Apple intermediary certificate, Apple must share this certificate or the certificate chain will
not be validated correctly by your software. I am really hoping that Apple is authorizing the site certificate with the AAACertificateServices root CA, and then everything will work. (It'll also work if Apple does it using the last 2 certificates as well.)
Thanks