Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

What is an APSP certificate? and how do I renew it?

I have a Mac Mini server with Mountain lion server on it. I use it for Web site serving, and I have File Sharing active on it.


I started getting the following notifications:


Certificate Expires Soon - APSP:34a61ab4-43ce-43e1-8a45-036445c241a0

The following certificate is about to expire on your server, web4.local:
Name: APSP:34a61ab4-43ce-43e1-8a45-036445c241a0
Expiration Date: 16 December, 2012 10:59:27 AM EST


It seems that the server has 4 of these certificates and I get 4 notifications every day.


I could find nothing about them. What's the service they support? where to renew them? How do I turn off this notification if there isn't much that I can do about them.


Under the server hardware's settings pane, I checked all the SSL Certificates that I have and the local self-signed ones and none of them expire in 2012.


So I'm confused to say the least.

Posted on Nov 24, 2012 5:59 PM

Reply
Question marked as Best reply

Posted on Dec 7, 2012 7:46 AM

I'm in the same boat. Here's what I've found out:


These certificates are used by the "Apple Push Notification Service" (APNS) and apparently have nothing to do with Cisco's Access Point Security Protocol (APSP). Push Notifications are used to do things like immediately alert you of new mail on your iPhone (rather than have the iPhone polling every few minutes to check if there is new mail).


Now, how to renew them (in theory because it doesn't work for me - it might for you):


1) open the "Server" application

2) in the Hardware section (top left), click your server

3) click the "Settings" tab

4) presumably "Enable Apple push notifications" is already checked. (if not, delete or move the expiring certificates out of /etc/certificates and that should stop the alert emails)

5) click the "Edit" button after "Enable Apple push notifications"

6) a drop down panel will show the apple ID and expiry for your Apple Push Notification Service certificate. The expiry will probably be in red. Click the Renew button.

7) enter the password for your Apple ID and click Renew certificate.


Hopefully that works for you. I end up with a "An unexpected error (-1) has occurred". If I click on the "Manage your certificates" link, I'm directed to an apple site that has a certificate expiry about 8 months after the one in the Settings page. I'm guessing that's the one being used and not the one shown in my settings page. I'll wait until after the certificates expire, see if anything breaks then delete the expired certificates.


If anyone knows how to determine which APSP:<uuid> certificate is being used on OSX Server or how the Apple Push Notification picks which certificate to use, please let me know. I have five APSP certificates in /etc/certificates and I suspect only one is needed.


Cheers,

Dean

16 replies
Question marked as Best reply

Dec 7, 2012 7:46 AM in response to ElB1

I'm in the same boat. Here's what I've found out:


These certificates are used by the "Apple Push Notification Service" (APNS) and apparently have nothing to do with Cisco's Access Point Security Protocol (APSP). Push Notifications are used to do things like immediately alert you of new mail on your iPhone (rather than have the iPhone polling every few minutes to check if there is new mail).


Now, how to renew them (in theory because it doesn't work for me - it might for you):


1) open the "Server" application

2) in the Hardware section (top left), click your server

3) click the "Settings" tab

4) presumably "Enable Apple push notifications" is already checked. (if not, delete or move the expiring certificates out of /etc/certificates and that should stop the alert emails)

5) click the "Edit" button after "Enable Apple push notifications"

6) a drop down panel will show the apple ID and expiry for your Apple Push Notification Service certificate. The expiry will probably be in red. Click the Renew button.

7) enter the password for your Apple ID and click Renew certificate.


Hopefully that works for you. I end up with a "An unexpected error (-1) has occurred". If I click on the "Manage your certificates" link, I'm directed to an apple site that has a certificate expiry about 8 months after the one in the Settings page. I'm guessing that's the one being used and not the one shown in my settings page. I'll wait until after the certificates expire, see if anything breaks then delete the expired certificates.


If anyone knows how to determine which APSP:<uuid> certificate is being used on OSX Server or how the Apple Push Notification picks which certificate to use, please let me know. I have five APSP certificates in /etc/certificates and I suspect only one is needed.


Cheers,

Dean

Dec 9, 2012 9:56 AM in response to Dean Huxley

I can verify that Dean's suggestion does stop the daily notifications about the expired certificates.


If you look in /etc/certificates you should see 4 files associated with each one. To be on the safe side, make a directory to hold the files just in case you need to recover. I used /etc/certificates-expired. I then opened two finder windows, one in /etc/certificates and one for the backup directory, and dragged the 4 files for each expired cert into the backup folder. You'll need to use a root account or add your administrative password for this. That stops the messages, at least.


Doug

Dec 11, 2012 6:49 AM in response to doug_blair

Actually, I spoke too soon. Removing the expired certificates from /etc/certificates does not stop the daily alert messages. You can access the certificates via the Keychain Access app. the expired ones will be visible in the the All Certificates or System sections (you will need an admin password to edit these) in red, and you can delete the ones that have expired.


The Server app is the place to go to renew the certificates mentioned here. You'll need one for each of the services you plan to use to send items to your devices (e,g. calendar, messages, etc).

Dec 11, 2012 6:58 AM in response to ElB1

Yeah, same thing happened to me too. Deleting the certificates from /etc/certificates wasn't enough.


The certificates are also stored in the System keychain. I deleted the expired ones by

  1. started Keychain Access (in /Applications/Utilities)
  2. select the System keychain (top left frame)
  3. click on the Expires column to sort on Expires
  4. then select the soon-to-expire APSP:... certificates and
  5. hit the delete key to delete them (you will be asked for an admin account and password)


NOTE: you may have to select "Show Expired Certificates" in the "View" menu if the certificates have already expired.



I determined that the ServerEventAgent daemon is the process sending out the alerts. It performs the check when it first starts then every 24 hours after that. Killing this process will cause launchd to start another, so it's a good way to check immediately if the problem is fixed rather than waiting 24 hours for the next barrage of alerts.


I did the steps above to remove the soon-to-expire APSP certificates, then killed the ServerEventAgent and this time I didn't get the "about to expire" emails. Also, when I go back into the Server app and check my push certificate, it's now showing an expiry date matching the one I see in the Apple Push Certificate portal ( https://identity.apple.com/pushcert/ )


Hope this helps!


Cheers,

Dean

Feb 27, 2013 7:16 PM in response to ElB1

Hello,


I found the the below fix was easier then the steps above...


1. Go to Server App


2. Uncheck the Enable Push Notifications


3. As soon as you do a window opens stating your cert has expired and your given the option to renew.


4. The itunes user id is listed that you used to create them to begin with and it prompts you for your password.


5. It automatily renews the certs and the expired certs that were in keychain are no longer expired.


Thanks,


ebrind

Oct 29, 2013 12:19 PM in response to Morris Zwick

Any suggestion what to try when using "Server.app" the Apple push notifications certificate Renew fails, even after:


  1. removing the expired certs from keychain
  2. removing the expired certs from /etc/certificates
  3. use "Edit" instead of "Renew" button


For example, is there a terminal command that does issue a "Renew" or that does "Enable Apple push notifications" ?

Jun 5, 2014 3:22 AM in response to ElB1

This worked for me, I was wondering why I was getting 30 emails a day about this when I already removed the old certificates from the server portion of the server. Keychain makes total sense. However, why doesn't apple make it when you remove the certs from the server, it doesn't remove from keychain? *smh

Sep 29, 2014 6:05 AM in response to ebrind

I think ebrind's solution is the way that Apple intends for the feature to work. I'm pretty sure it worked for me. It looks like Dean's solution is for if you really don't care about how Apple intends for it to work and want to get rid of these notifications forever. ebrind's solution will presumably allow the notifications to come back in a year, at which time you can go through the process again. I'm not sure what the importance of doing this annual procedure is in my case, but it isn't hard to do.

What is an APSP certificate? and how do I renew it?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.