Skip navigation

What is an APSP certificate? and how do I renew it?

15972 Views 12 Replies Latest reply: Nov 17, 2013 9:19 AM by QSA ToolWorks RSS
ElB1 Calculating status...
Currently Being Moderated
Nov 24, 2012 5:59 PM

I have a Mac Mini server with Mountain lion server on it. I use it for Web site serving, and I have File Sharing active on it.


I started getting the following notifications:


Certificate Expires Soon - APSP:34a61ab4-43ce-43e1-8a45-036445c241a0

The following certificate is about to expire on your server, web4.local:

Name: APSP:34a61ab4-43ce-43e1-8a45-036445c241a0
Expiration Date: 16 December, 2012 10:59:27 AM EST


It seems that the server has 4 of these certificates and I get 4 notifications every day.


I could find nothing about them. What's the service they support? where to renew them? How do I turn off this notification if there isn't much that I can do about them.


Under the server hardware's settings pane, I checked all the SSL Certificates that I have and the local self-signed ones and none of them expire in 2012.


So I'm confused to say the least.

  • Dean Huxley Level 1 Level 1 (130 points)
    Currently Being Moderated
    Dec 7, 2012 7:46 AM (in response to ElB1)

    I'm in the same boat.  Here's what I've found out:


    These certificates are used by the "Apple Push Notification Service" (APNS) and apparently have nothing to do with Cisco's Access Point Security Protocol (APSP).  Push Notifications are used to do things like immediately alert you of new mail on your iPhone (rather than have the iPhone polling every few minutes to check if there is new mail).


    Now, how to renew them (in theory because it doesn't work for me - it might for you):


    1) open the "Server" application

    2) in the Hardware section (top left), click your server

    3) click the "Settings" tab

    4) presumably "Enable Apple push notifications" is already checked. (if not, delete or move the expiring certificates out of /etc/certificates and that should stop the alert emails)

    5) click the "Edit" button after "Enable Apple push notifications"

    6) a drop down panel will show the apple ID and expiry for your Apple Push Notification Service certificate.  The expiry will probably be in red.  Click the Renew button.

    7) enter the password for your Apple ID and click Renew certificate.


    Hopefully that works for you.  I end up with a "An unexpected error (-1) has occurred".  If I click on the "Manage your certificates" link, I'm directed to an apple site that has a certificate expiry about 8 months after the one in the Settings page.  I'm guessing that's the one being used and not the one shown in my settings page.  I'll wait until after the certificates expire, see if anything breaks then delete the expired certificates.


    If anyone knows how to determine which APSP:<uuid> certificate is being used on OSX Server or how the Apple Push Notification picks which certificate to use, please let me know.  I have five APSP certificates in /etc/certificates and I suspect only one is needed.




  • doug_blair Level 1 Level 1 (10 points)

    I can verify that Dean's suggestion does stop the daily notifications about the expired certificates. 


    If you look in /etc/certificates you should see 4 files associated with each one.  To be on the safe side, make a directory to hold the files just in case you need to recover. I used /etc/certificates-expired.  I then opened two finder windows, one in /etc/certificates and one for the backup directory, and dragged the 4 files for each expired cert into the backup folder. You'll need to use a root account or add your administrative password for this.  That stops the messages, at least.



  • doug_blair Level 1 Level 1 (10 points)

    Actually, I spoke too soon. Removing the expired certificates from /etc/certificates does not stop the daily alert messages. You can access the certificates via the Keychain Access app. the expired ones will be visible in the the All Certificates or System sections (you will need an admin password to edit these) in red, and you can delete the ones that have expired.


    The Server app is the place to go to renew the certificates mentioned here. You'll need one for each of the services you plan to use to send items to your devices (e,g. calendar, messages, etc).

  • Dean Huxley Level 1 Level 1 (130 points)
    Currently Being Moderated
    Dec 11, 2012 6:58 AM (in response to ElB1)

    Yeah, same thing happened to me too. Deleting the certificates from /etc/certificates wasn't enough.


    The certificates are also stored in the System keychain. I deleted the expired ones by

    1. started Keychain Access (in /Applications/Utilities)
    2. select the System keychain (top left frame)
    3. click on the Expires column to sort on Expires
    4. then select the soon-to-expire APSP:... certificates and
    5. hit the delete key to delete them (you will be asked for an admin account and password)


    NOTE: you may have to select "Show Expired Certificates" in the "View" menu if the certificates have already expired.



    I determined that the ServerEventAgent daemon is the process sending out the alerts.  It performs the check when it first starts then every 24 hours after that.  Killing this process will cause launchd to start another, so it's a good way to check immediately if the problem is fixed rather than waiting 24 hours for the next barrage of alerts.


    I did the steps above to remove the soon-to-expire APSP certificates, then killed the ServerEventAgent and this time I didn't get the "about to expire" emails.  Also, when I go back into the Server app and check my push certificate, it's now showing an expiry date matching the one I see in the Apple Push Certificate portal ( )


    Hope this helps!




  • coffeebreath Level 1 Level 1 (0 points)

    Thank you Sir.


    These steps have resolved my suffering from this issue.


    Happy New Year.

  • ebrind Level 1 Level 1 (15 points)
    Currently Being Moderated
    Feb 27, 2013 7:16 PM (in response to ElB1)



    I found the the below fix was easier then the steps above...


    1. Go to Server App


    2. Uncheck the Enable Push Notifications


    3. As soon as you do a window opens stating your cert has expired and your given the option to renew.


    4. The itunes user id is listed that you used to create them to begin with and it prompts you for your password.


    5. It automatily renews the certs and the expired certs that were in keychain are no longer expired.





  • Richard Smith2 Calculating status...
    Currently Being Moderated
    Aug 25, 2013 8:43 AM (in response to ebrind)

    to find ebrind's step 2, select the server name in the Server App, then select the Settings tab.

  • Morris Zwick Calculating status...

    Alternatively, in Step 2, just press the "Edit..." button next to "Enable Apple push notifications" and press the "Renew" button. Then just recertify with the Apple ID you used to register with the Push Notification server and Voila!

  • cj00 Level 1 Level 1 (10 points)

    Any suggestion what to try when using "" the Apple push notifications certificate Renew fails, even after:


    1. removing the expired certs from keychain
    2. removing the expired certs from /etc/certificates
    3. use "Edit" instead of "Renew" button


    For example, is there a terminal command that does issue a "Renew" or that does "Enable Apple push notifications" ?

  • QSA ToolWorks Calculating status...

    This is the suggestion that solved it for me. Thanks!


More Like This

  • Retrieving data ...

Bookmarked By (4)


  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.