You are probably aware of the upcoming root certificate change for any servers you might have that you use to send push notifications by connection to APNs.
If you are not, here is the announcement.
We have been getting some questions about this, and understand not everyone is familiar with their server setup.
First, we would like to clarify that this is only a change to your server's certificate trust store. You do not need to update anything else, like your APNs push certificates, the build certificates and provisioning profiles for your team/app, and so on. All you need to do is to install the mentioned new root certificate to your push server's trust store.
If you are using a 3rd party push provider, it is them who will need to handle their servers. But you may want to double check with them nevertheless.
If you are managing your own push servers that connect to APNs directly, then it is your responsibility to download and install the root certificate mentioned in the above link on your server(s).
Unfortunately we cannot provide specific instructions on how to install this root certificate on every kind of server out there. Each server operating system/push server software will have different ways these root certificates are installed, which is out of scope of our support abilities.
If you are not sure how to do this, I would recommend you seek help for this from your server-side developers or server admins. Or, if you don't have access to such resources, you can ask the support channels for your system the question: How do I install a root certificate?
We have setup a test server at 17.188.143.34:443 that you can use to try and send pushes to test whether your new root certificate is correctly installed.
An alternative way to test this would be, from a terminal prompt:
openssl s_client -connect 17.188.143.34:443 -servername api.sandbox.push.apple.com -verifyCAfile USERTrustRSACertificationAuthority.crt -showcerts
Change the parameter to the -verifyCAfile argument to point to your trust store, and it should allow you to validate
Sample return results would be:
Connecting to 17.188.143.34
CONNECTED(00000003)
depth=2 C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority
verify return:1
depth=1 CN=Apple Public Server RSA CA 11 - G1, O=Apple Inc., ST=California, C=US
verify return:1
depth=0 C=US, ST=California, O=Apple Inc., CN=api.sandbox.push.apple.com
verify return:1
Argun Tekant / DTS Engineer / Core Technologies