How to get an APNS (Apple Push Notification Service) certificate for use with XenMobile MDM

When you are planning the deploy Citrix XenMobile MDM (Mobile Device Manager) and what’s to enrol and manage iOS devices, you need an APNS (Apple Push Notification Service) certificate. It is very simple to get an APNS certificate (for free) and you only need a Microsoft Server with the Internet Information Services (IIS) role installed on it, and an Apple ID. To obtain the APNS certificate follow these four little steps.

Step 1 : Create a Certificate Signing Request (CSR) file with Microsoft IIS

Login to a Windows Server where IIS is installed on and open the Internet Information Services (IIS) Manager.

Within the IIS console, on the left side, select the server name. On the right side, double click Server Certificates

On the left side, click on Create Certificate Request

Fill in the requested information and click Next

Select Microsoft RSA SChannel Cryptographic Provider as Cryptographic service provider and 2048 as Bit length.

Click Next

Save the file as an .txt file and click Finish

Step 2 : Sign the Certificate Request file by Citrix

The next step is to sign the Certificate Request file by Citrix, therefor login with your My Citrix account at the following website:

XenMobile APNs CSR Signing

Step 3: Submit the signed .plist file to Apple

After receiving the .plist file from Citrix, it’s time to submit it to Apple to get the APNS certificate.
Open a browser and go to the Apple Push Certification Portal: https://identity.apple.com/pushcert (if for some reason the site is not working, first go to http://developer.apple.com/devcenter/ios/index.action, logon and then reopen the Apple Push Certification Portal).

Fill in the sign in information of an Apple ID. NOTE: Use a company Apple ID (registered with a common company email address for general use, for example administrator@domain.com or servicedesk@domain.com). Once the APNS certificate is created with this account it is not transferable to another Apple ID, it has to be renewed every year with the same Apple ID!

Click on Create a Certificate

Select I have read and agree to these terms and conditions and click Accept

Optionally you can add a note, this can be helpful if you manage multiple APNS certificates, I always fill in the external hostname.

Click Choose file, select the .plist and click Upload

Click on Download. You now get a .pem certificate file.

Step 4: Convert the .pem file to .p12 format

In the final step we must generate a .p12 file with Microsoft Internet Information server (IIS). Login to a Windows Server where IIS is installed on and open the Internet Information Services (IIS) Manager.

Within the IIS console, on the left side, select the server name. On the right side, double click Server Certificates

Click on Complete Certificate Request

Browse to the .pem file and fill in a Friendly name. Click OK

Select the certificate and on the right side click Export

Select a location where to save the file to and give it a name (.pfx). Fill in a Password. This password is needed when importing this APNS certificate in the XenMobile Mobile Device Manager.

Renew the APNS certificate

By default an APNS certificate is valid for one year, after that it has to be renewed. To renew the APNS you have to go through all the four steps, but when submitting the certificate to Apple you need to choose for the option renew. It’s important that the certificate will be renewed with the same Apple ID as it was created. Keep in mind that if you use a different Apple ID or choose for the option to create a new certificate with the same Apple ID instead of renew. All devices currently enrolled with XenMobile MDM needs to be re-enrolled! So beware of that, always choose for the option renew.