Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Should I use the same CSR for both dev/production iOS push notification cert?

Updated:

I found that I can submit the same CSR for both dev and production when creating certs for iOS push notification.

For a single app I need to create 2 certs (dev/production), so for 10 app, I need to create 20 certs - which is a nightmare for certs management and pollute my keychains, so I am thinking by submitting the same CSR (hence same private key)..just more easy to maintain the stuffs.

I want to know if any drawbacks and are you also doing the same way to reduce the effort in keys/certs management?

like image 970
Howard Avatar asked Aug 16 '12 11:08

Howard


People also ask

How many Apple Push Certificates can you have?

You can create at most 2 APNS certificate for each app bundle id you have. 1 for Development and 1 for Production. To create an APNS certificate, you need to choose: Apple Push Notification service SSL (Sandbox) for Development.

How long is an Apple Push Notification Service certificate valid for?

APN certificate(s) downloaded from Apple only have one year validity from the date it was created. Ensure that the managed iOS devices do not have to be re-enrolled into TMMS for Enterprise when an APN certificate expires after a year.

What is CSR certificate in iOS?

The Certificate Signing Request (CSR) that you send to Apple contains your public key, some personal information about you and is signed using your private key. Apple then uses the public key in the CSR to verify that your CSR came from you before issuing your certificate (which contains your public key).

How does push notifications work on the iOS platform?

An iOS push notification is a message that pops up on an Apple device such as an iPhone. Before receiving push notifications from an app, iOS device users must explicitly give permission. Once a user opts-in, mobile app publishers can send push notifications to the users' mobile devices.


1 Answers

You don't necessarily have to use different private keys for development and production, but you should, especially if you are working in a large team or with external developers.

Every developer that has to test the notification code will need to have access to the private key for the development certificate. If you use the same key for the production certificate you also give them access to sending notifications in the production system. It all comes down to trust - do you trust that every developer on your team won't use the key to play mischief with your paying customers, now and forever?

If you're working alone, or if you really trust everyone on your team completely go ahead and use a single key. But think about the consequences if someone misuses the key.

like image 166
Sven Avatar answered Oct 22 '22 05:10

Sven