What is an APSP certificate? and how do I renew it?

I'm in the same boat. Here's what I've found out:

These certificates are used by the "Apple Push Notification Service" (APNS) and apparently have nothing to do with Cisco's Access Point Security Protocol (APSP). Push Notifications are used to do things like immediately alert you of new mail on your iPhone (rather than have the iPhone polling every few minutes to check if there is new mail).

Now, how to renew them (in theory because it doesn't work for me - it might for you):

1) open the "Server" application

2) in the Hardware section (top left), click your server

3) click the "Settings" tab

4) presumably "Enable Apple push notifications" is already checked. (if not, delete or move the expiring certificates out of /etc/certificates and that should stop the alert emails)

5) click the "Edit" button after "Enable Apple push notifications"

6) a drop down panel will show the apple ID and expiry for your Apple Push Notification Service certificate. The expiry will probably be in red. Click the Renew button.

7) enter the password for your Apple ID and click Renew certificate.

Hopefully that works for you. I end up with a "An unexpected error (-1) has occurred". If I click on the "Manage your certificates" link, I'm directed to an apple site that has a certificate expiry about 8 months after the one in the Settings page. I'm guessing that's the one being used and not the one shown in my settings page. I'll wait until after the certificates expire, see if anything breaks then delete the expired certificates.

If anyone knows how to determine which APSP:<uuid> certificate is being used on OSX Server or how the Apple Push Notification picks which certificate to use, please let me know. I have five APSP certificates in /etc/certificates and I suspect only one is needed.

Cheers,

Dean

I can verify that Dean's suggestion does stop the daily notifications about the expired certificates.

If you look in /etc/certificates you should see 4 files associated with each one. To be on the safe side, make a directory to hold the files just in case you need to recover. I used /etc/certificates-expired. I then opened two finder windows, one in /etc/certificates and one for the backup directory, and dragged the 4 files for each expired cert into the backup folder. You'll need to use a root account or add your administrative password for this. That stops the messages, at least.

Doug

Actually, I spoke too soon. Removing the expired certificates from /etc/certificates does not stop the daily alert messages. You can access the certificates via the Keychain Access app. the expired ones will be visible in the the All Certificates or System sections (you will need an admin password to edit these) in red, and you can delete the ones that have expired.

The Server app is the place to go to renew the certificates mentioned here. You'll need one for each of the services you plan to use to send items to your devices (e,g. calendar, messages, etc).

Yeah, same thing happened to me too. Deleting the certificates from /etc/certificates wasn't enough.

The certificates are also stored in the System keychain. I deleted the expired ones by

1. started Keychain Access (in /Applications/Utilities)
2. select the System keychain (top left frame)
3. click on the Expires column to sort on Expires
4. then select the soon-to-expire APSP:... certificates and
5. hit the delete key to delete them (you will be asked for an admin account and password)

NOTE: you may have to select "Show Expired Certificates" in the "View" menu if the certificates have already expired.

I determined that the ServerEventAgent daemon is the process sending out the alerts. It performs the check when it first starts then every 24 hours after that. Killing this process will cause launchd to start another, so it's a good way to check immediately if the problem is fixed rather than waiting 24 hours for the next barrage of alerts.

I did the steps above to remove the soon-to-expire APSP certificates, then killed the ServerEventAgent and this time I didn't get the "about to expire" emails. Also, when I go back into the Server app and check my push certificate, it's now showing an expiry date matching the one I see in the Apple Push Certificate portal ( https://identity.apple.com/pushcert/ )

Hope this helps!

Cheers,

Dean

Thank you Sir.

These steps have resolved my suffering from this issue.

Happy New Year.

Hello,

I found the the below fix was easier then the steps above...

1. Go to Server App

2. Uncheck the Enable Push Notifications

3. As soon as you do a window opens stating your cert has expired and your given the option to renew.

4. The itunes user id is listed that you used to create them to begin with and it prompts you for your password.

5. It automatily renews the certs and the expired certs that were in keychain are no longer expired.

Thanks,

ebrind

to find ebrind's step 2, select the server name in the Server App, then select the Settings tab.

Alternatively, in Step 2, just press the "Edit..." button next to "Enable Apple push notifications" and press the "Renew" button. Then just recertify with the Apple ID you used to register with the Push Notification server and Voila!

Any suggestion what to try when using "Server.app" the Apple push notifications certificate Renew fails, even after:

1. removing the expired certs from keychain
2. removing the expired certs from /etc/certificates
3. use "Edit" instead of "Renew" button

For example, is there a terminal command that does issue a "Renew" or that does "Enable Apple push notifications" ?

This is the suggestion that solved it for me. Thanks!

This worked for me, I was wondering why I was getting 30 emails a day about this when I already removed the old certificates from the server portion of the server. Keychain makes total sense. However, why doesn't apple make it when you remove the certs from the server, it doesn't remove from keychain? *smh

I think ebrind's solution is the way that Apple intends for the feature to work. I'm pretty sure it worked for me. It looks like Dean's solution is for if you really don't care about how Apple intends for it to work and want to get rid of these notifications forever. ebrind's solution will presumably allow the notifications to come back in a year, at which time you can go through the process again. I'm not sure what the importance of doing this annual procedure is in my case, but it isn't hard to do.

Ok, for a bold approach.

- Turn off Push Notifications in Server App (location see above)

- Go to Keychain,

- Search for APSP

- Delete all found items

- Restart,

- In Server app turn on Push Notifications

- Server app will ask you to create a new certificate..

- You're done for a year...