Previous 1 2 Next 15 Replies Latest reply: Nov 5, 2014 12:30 AM by jaapschok
ElB1 Level 1 (0 points)

I have a Mac Mini server with Mountain lion server on it. I use it for Web site serving, and I have File Sharing active on it.


I started getting the following notifications:


Certificate Expires Soon - APSP:34a61ab4-43ce-43e1-8a45-036445c241a0

The following certificate is about to expire on your server, web4.local:

Name: APSP:34a61ab4-43ce-43e1-8a45-036445c241a0
Expiration Date: 16 December, 2012 10:59:27 AM EST


It seems that the server has 4 of these certificates and I get 4 notifications every day.


I could find nothing about them. What's the service they support? where to renew them? How do I turn off this notification if there isn't much that I can do about them.


Under the server hardware's settings pane, I checked all the SSL Certificates that I have and the local self-signed ones and none of them expire in 2012.


So I'm confused to say the least.

  • Dean Huxley Level 1 (130 points)

    I'm in the same boat.  Here's what I've found out:


    These certificates are used by the "Apple Push Notification Service" (APNS) and apparently have nothing to do with Cisco's Access Point Security Protocol (APSP).  Push Notifications are used to do things like immediately alert you of new mail on your iPhone (rather than have the iPhone polling every few minutes to check if there is new mail).


    Now, how to renew them (in theory because it doesn't work for me - it might for you):


    1) open the "Server" application

    2) in the Hardware section (top left), click your server

    3) click the "Settings" tab

    4) presumably "Enable Apple push notifications" is already checked. (if not, delete or move the expiring certificates out of /etc/certificates and that should stop the alert emails)

    5) click the "Edit" button after "Enable Apple push notifications"

    6) a drop down panel will show the apple ID and expiry for your Apple Push Notification Service certificate.  The expiry will probably be in red.  Click the Renew button.

    7) enter the password for your Apple ID and click Renew certificate.


    Hopefully that works for you.  I end up with a "An unexpected error (-1) has occurred".  If I click on the "Manage your certificates" link, I'm directed to an apple site that has a certificate expiry about 8 months after the one in the Settings page.  I'm guessing that's the one being used and not the one shown in my settings page.  I'll wait until after the certificates expire, see if anything breaks then delete the expired certificates.


    If anyone knows how to determine which APSP:<uuid> certificate is being used on OSX Server or how the Apple Push Notification picks which certificate to use, please let me know.  I have five APSP certificates in /etc/certificates and I suspect only one is needed.




  • doug_blair Level 1 (10 points)

    I can verify that Dean's suggestion does stop the daily notifications about the expired certificates. 


    If you look in /etc/certificates you should see 4 files associated with each one.  To be on the safe side, make a directory to hold the files just in case you need to recover. I used /etc/certificates-expired.  I then opened two finder windows, one in /etc/certificates and one for the backup directory, and dragged the 4 files for each expired cert into the backup folder. You'll need to use a root account or add your administrative password for this.  That stops the messages, at least.



  • ElB1 Level 1 (0 points)

    I did end up with error -1 and nothing was resolved. I revoked the certificates on apple's site, I deleted the certificate files from the /etc/certificates and it didn't help.


    I turned push notification off.

  • doug_blair Level 1 (10 points)

    Actually, I spoke too soon. Removing the expired certificates from /etc/certificates does not stop the daily alert messages. You can access the certificates via the Keychain Access app. the expired ones will be visible in the the All Certificates or System sections (you will need an admin password to edit these) in red, and you can delete the ones that have expired.


    The Server app is the place to go to renew the certificates mentioned here. You'll need one for each of the services you plan to use to send items to your devices (e,g. calendar, messages, etc).

  • Dean Huxley Level 1 (130 points)

    Yeah, same thing happened to me too. Deleting the certificates from /etc/certificates wasn't enough.


    The certificates are also stored in the System keychain. I deleted the expired ones by

    1. started Keychain Access (in /Applications/Utilities)
    2. select the System keychain (top left frame)
    3. click on the Expires column to sort on Expires
    4. then select the soon-to-expire APSP:... certificates and
    5. hit the delete key to delete them (you will be asked for an admin account and password)


    NOTE: you may have to select "Show Expired Certificates" in the "View" menu if the certificates have already expired.



    I determined that the ServerEventAgent daemon is the process sending out the alerts.  It performs the check when it first starts then every 24 hours after that.  Killing this process will cause launchd to start another, so it's a good way to check immediately if the problem is fixed rather than waiting 24 hours for the next barrage of alerts.


    I did the steps above to remove the soon-to-expire APSP certificates, then killed the ServerEventAgent and this time I didn't get the "about to expire" emails.  Also, when I go back into the Server app and check my push certificate, it's now showing an expiry date matching the one I see in the Apple Push Certificate portal ( )


    Hope this helps!




  • ElB1 Level 1 (0 points)

    Bingo. Deleting the certificates from the keychain solved the unexpected error (-1) problem.

  • coffeebreath Level 1 (0 points)

    Thank you Sir.


    These steps have resolved my suffering from this issue.


    Happy New Year.

  • ebrind Level 1 (15 points)



    I found the the below fix was easier then the steps above...


    1. Go to Server App


    2. Uncheck the Enable Push Notifications


    3. As soon as you do a window opens stating your cert has expired and your given the option to renew.


    4. The itunes user id is listed that you used to create them to begin with and it prompts you for your password.


    5. It automatily renews the certs and the expired certs that were in keychain are no longer expired.





  • Richard Smith2 Level 1 (0 points)

    to find ebrind's step 2, select the server name in the Server App, then select the Settings tab.

  • Morris Zwick Level 1 (0 points)

    Alternatively, in Step 2, just press the "Edit..." button next to "Enable Apple push notifications" and press the "Renew" button. Then just recertify with the Apple ID you used to register with the Push Notification server and Voila!

  • cj00 Level 1 (10 points)

    Any suggestion what to try when using "" the Apple push notifications certificate Renew fails, even after:


    1. removing the expired certs from keychain
    2. removing the expired certs from /etc/certificates
    3. use "Edit" instead of "Renew" button


    For example, is there a terminal command that does issue a "Renew" or that does "Enable Apple push notifications" ?

  • QSA ToolWorks Level 1 (0 points)

    This is the suggestion that solved it for me. Thanks!

  • Advyon Level 1 (0 points)

    This worked for me, I was wondering why I was getting 30 emails a day about this when I already removed the old certificates from the server portion of the server.  Keychain makes total sense.  However, why doesn't apple make it when you remove the certs from the server, it doesn't remove from keychain?  *smh

  • Schrock Level 1 (0 points)

    I think ebrind's solution is the way that Apple intends for the feature to work.  I'm pretty sure it worked for me.  It looks like Dean's solution is for if you really don't care about how Apple intends for it to work and want to get rid of these notifications forever.  ebrind's solution will presumably allow the notifications to come back in a year, at which time you can go through the process again.  I'm not sure what the importance of doing this annual procedure is in my case, but it isn't hard to do.

Previous 1 2 Next