Multiple APNS certificates in same certificate file

Question

I've been searching for an answer to this and can't seem to find it. I send PUSH notifications to multiple flavors of my apps. I have previously set this up to loop through each certificate and match it against the users app type. Effectively I create a new SSL connection for each certificate and then send any notifications for that particular certificate.

It's a bit tedious to convert all of these certificates and install them when they expire. I can export multiple certs from KeyChain access as a single p12 file and convert it which helps keep things simpler from a certificate management standpoint. The problem comes in that none of my PUSH notifications are being received. I can connect to the APNS successfully and no problems are reported by the feedback service yet nothing seems to go through. This leads me to believe that the APNS is verifying the only the first certificate in the file and ignoring any others which would allow for a successful connection but would likely prevent delivery of the notifications. In this case I would expect a dropped connection or something reported on the feedback service though and so far I've seen neither.

Does anyone have any insight into doing this successfully? Thank you.

Answer 1

Let me restate that: You have multiple certificates packaged together into a single container/collection/whatever, and you are using that to establish a mutually authenticated SLL session with APNS. You then send a request for one or more devices associated with any one of the certs, and it doesn't work. Is that accurate?

If so, then I think your summary of the issue is correct. The sequence of events is that the cert is evaluated while establishing the SSL session. That is part of the network protocol, and at that point the APNS server MUST choose which cert to use. Then when you send a request, the "application server" only validate that the device token contains the same account info as the cert. Your scenario is non-trivial and there is no chance of it working unless Apple explicitly invested effort in supporting it. In that case I would have expected it to be mentioned in the developer docs. It isn't.

In that case you won't see anything in the feedback service either, since the feedback will only be gathered/sent for devices which are associated with the account in the cert.

BTW if you are using the enhanced format of the APNS protocol then you can read error responses while sending. See the programming guide for more info.