Managing notifications and extension expiring certificates

Hi everyoneI

I’m maintining an app that uses the Notification Service Extension entitlement (which I have never used before). The app is not published on the App Store but is delivered OTA via a website.

previous developer told me that to avoid certificate expiration issues, they started using the APNs Auth Key on the server in the past. However, I now have two certificates close to expiration on the developer profile page.

Both certificates are of the type "Apple Push Services":

  1. The first one is named with my app's bundle ID (MyInstitution.AppName).
  2. The second is named after the Notification Service Extension entitlement (MyInstitution.AppName.NotificationServiceExtension).

In the Key section on the developer profile page, under Certificates, Identifiers & Profiles -> Keys section, there is a key named "MyInstitution NSE."

My questions are:

  1. What should I do with the expiring certificates now that the app is using the APNs Auth Key?
  2. Is the Notification Service Extension entitlement working separately from the APNs Auth Key?
  3. In the end, does something really need to be renewed? What needs to be renewed, and how?
  4. When should I perform this operation if needed?
  5. Do I need to create a new .ipa file and distribute it?

I have added some screenshots to be clearer (names hidden for privacy concerns):

Answered by Engineer in 793853022

I am going to assume there aren't actually any "entitlements" involved here, and and you are just using that terminology to indicate the app contains a NSE.

If they have already switched to using APNs Auth tokens to send the notifications, and have been using those, then you don't need to do anything (that is critical) with the certificates, and you can let them expire.

The APNs Auth key never expires, and the tokens need to be regenerated every hour - but I suppose that is working fine already.

Specific to your questions:

  1. you should remove them from the developer portal, and also from the push servers, so the next maintainer doesn't get confused and panic in a couple years trying to find out what those are for.
  2. I am not sure what it is you mention here. There could be separate entitlement files that may be defining shared or separate capabilities for the main app and the extension. I would say, leave them alone. Those will have nothing to do with the push certificates (although, as the maintainer, you may want to understand what they contain and why)
  3. If you are certain your notification server is using the auth key and tokens already, nothing needs to be renewed.
  4. you should remove the certificates from the push server before they expire to see if anything will fail. If it does, then put them back right away. Then renew the certificates and install the new ones. Because that would mean the previous developer was mistaken and your push servers are using the certificates
  5. There is no need to do anything with the app itself. These are all server side matters.

Good luck.

Accepted Answer

I am going to assume there aren't actually any "entitlements" involved here, and and you are just using that terminology to indicate the app contains a NSE.

If they have already switched to using APNs Auth tokens to send the notifications, and have been using those, then you don't need to do anything (that is critical) with the certificates, and you can let them expire.

The APNs Auth key never expires, and the tokens need to be regenerated every hour - but I suppose that is working fine already.

Specific to your questions:

  1. you should remove them from the developer portal, and also from the push servers, so the next maintainer doesn't get confused and panic in a couple years trying to find out what those are for.
  2. I am not sure what it is you mention here. There could be separate entitlement files that may be defining shared or separate capabilities for the main app and the extension. I would say, leave them alone. Those will have nothing to do with the push certificates (although, as the maintainer, you may want to understand what they contain and why)
  3. If you are certain your notification server is using the auth key and tokens already, nothing needs to be renewed.
  4. you should remove the certificates from the push server before they expire to see if anything will fail. If it does, then put them back right away. Then renew the certificates and install the new ones. Because that would mean the previous developer was mistaken and your push servers are using the certificates
  5. There is no need to do anything with the app itself. These are all server side matters.

Good luck.

hi, thank for your reply, I'm adding some screenshot to be more clear about what I mean as "Entitlements", please, feel free to correct my terminology as you prefer, I'll be grateful about it. I know these "Entitlements" were "required to apple" before my arrive.

OK, I understand now. This entitlement is optional for a specific purpose, and is not required to implement the Notification Service Extension.

In any case, neither does the extension, nor the entitlement has anything to do with the server side certificates or auth keys. You can continue as I suggested on the server side, regardless of using this entitlement.


Argun Tekant /  DTS Engineer / Core Technologies

Managing notifications and extension expiring certificates
 
 
Q