Certificate Authority (CA) for Apple Push Notification (APN) is changing

[bill-foreflight]

I wasn't sure where to post this - but was trying to figure out if uses of this library need to take any action in response to Apple announcement that APNs will update the server certificates in early 2025?

https://developer.apple.com/news/?id=09za8wzy

[parse-github-assistant]

Thanks for opening this issue!

[junjie]

Thanks for opening this issue. I'm wondering about it too.

[mtrezza]

I don't think we hardcode any CAs here. Trust stores are managed by the environment in which this library runs. In fact, if you look at the docs, there is an option ca that allows to set trusted certificates to override or augment the environment's trust store:

You may need to use this as some environments don't include the CA used by Apple (entrust_2048).

In well managed environments, where trust stores are automatically updated, like in the latest server instance images of popular cloud service providers, there should be no action necessary. If you self-manage your trust store, or run on an old or unmaintained OS image, you'd either have to invoke a trust store update, or download the new CA certificate and manually add it to the trust store.

If you are unsure, you have 1 month from when the APNS sandbox environment won't work anymore (January 20, 2025) to when the APNS production environment won't work anymore (February 24, 2025). Use that time to verify whether any action is required on your side.

[junjie]

Thanks for taking time to explain the situation @mtrezza!

[llee1990]

@mtrezza

It says in the docs that If this is omitted several well known "root" CAs will be used, would you happen to know if these default CAs includes SHA-2 Root : USERTrust RSA Certification Authority?

Thanks!

[junjie]

FYI, I have tested node-apn following the update to the server certificates in sandbox on January 20, 2025, and everything works as before.

[llee1990]

It is working for me as well 🙂