Fortinet black logo

New Features

FortiGuard Distribution of Updated Apple Certificates (for token push notifications)

Copy Link
Copy Doc ID 761d83e3-4a7b-11e9-94bf-00505692583a:554905
Download PDF

Push notifications for iPhone (for the purpose of two-factor authentication) require a TLS server certificate to authenticate to Apple. Since this certificate is only valid for one year, a new service extension allows FortiGuard to distribute updated TLS server certificates to FortiGate when needed.

FortiGuard update service will update local Apple push notification TLS server certificates when the local certificate is expired. FortiGuard update service will also reinstall certificates when the certificates are lost.

You can verify that the feature works on the FortiGate by using the CLI shell.

To verify certificate updates:
  1. Using FortiOS CLI shell, verify that all certificates are installed:

    /data/etc/apns # ls -al

    drwxr-xr-x 2 0 0 Tue Jan 15 08:42:39 2019 1024 .

    drwxr-xr-x 12 0 0 Tue Jan 15 08:45:00 2019 2048 ..

    -rw-r--r-- 1 0 0 Sat Jan 12 00:06:30 2019 2377 apn-dev-cert.pem

    -rw-r--r-- 1 0 0 Sat Jan 12 00:06:30 2019 1859 apn-dev-key.pem

    -rw-r--r-- 1 0 0 Sat Jan 12 00:06:30 2019 8964 apn-dis-cert.pem

    -rw-r--r-- 1 0 0 Sat Jan 12 00:06:30 2019 4482 apn-dis-key.pem

  2. Rename all current Apple certificates.

    Apple push notification no longer works after you rename the certificates.

    /data/etc/apns # mv apn-dis-cert.pem apn-dis-cert.pem.save

    /data/etc/apns # mv apn-dev-key.pem apn-dev-key.pem.save

    /data/etc/apns # mv apn-dev-cert.pem apn-dev-cert.pem.save

    /data/etc/apns # mv apn-dis-key.pem apn-dis-key.pem.save

    /data/etc/apns # ls -al

    drwxr-xr-x 2 0 0 Tue Jan 15 08:51:15 2019 1024 .

    drwxr-xr-x 12 0 0 Tue Jan 15 08:45:00 2019 2048 ..

    -rw-r--r-- 1 0 0 Sat Jan 12 00:06:30 2019 2377 apn-dev-cert.pem.save

    -rw-r--r-- 1 0 0 Sat Jan 12 00:06:30 2019 1859 apn-dev-key.pem.save

    -rw-r--r-- 1 0 0 Sat Jan 12 00:06:30 2019 8964 apn-dis-cert.pem.save

    -rw-r--r-- 1 0 0 Sat Jan 12 00:06:30 2019 4482 apn-dis-key.pem.save

  3. Run a FortiGuard update, and verify that all certificates are installed again:

    /data/etc/apns # ls -al drwxr-xr-x 2 0 0 Tue Jan 15 08:56:20 2019 1024 .

    drwxr-xr-x 12 0 0 Tue Jan 15 08:56:15 2019 2048 ..

    -rw-r--r-- 1 0 0 Sat Jan 12 00:06:30 2019 2377 apn-dev-cert.pem.save

    -rw-r--r-- 1 0 0 Sat Jan 12 00:06:30 2019 1859 apn-dev-key.pem.save

    -rw-r--r-- 1 0 0 Tue Jan 15 08:56:20 2019 2167 apn-dis-cert.pem <--- downloaded from FortiGuard

    -rw-r--r-- 1 0 0 Sat Jan 12 00:06:30 2019 8964 apn-dis-cert.pem.save

    -rw-r--r-- 1 0 0 Tue Jan 15 08:56:20 2019 1704 apn-dis-key.pem <--- downloaded from FortiGuard

    -rw-r--r-- 1 0 0 Sat Jan 12 00:06:30 2019 4482 apn-dis-key.pem.save

    -rw-r--r-- 1 0 0 Tue Jan 15 08:56:20 2019 41 apn-version.dat <--- downloaded from FortiGuard

    /data/etc/apns #

Push notifications for iPhone (for the purpose of two-factor authentication) require a TLS server certificate to authenticate to Apple. Since this certificate is only valid for one year, a new service extension allows FortiGuard to distribute updated TLS server certificates to FortiGate when needed.

FortiGuard update service will update local Apple push notification TLS server certificates when the local certificate is expired. FortiGuard update service will also reinstall certificates when the certificates are lost.

You can verify that the feature works on the FortiGate by using the CLI shell.

To verify certificate updates:
  1. Using FortiOS CLI shell, verify that all certificates are installed:

    /data/etc/apns # ls -al

    drwxr-xr-x 2 0 0 Tue Jan 15 08:42:39 2019 1024 .

    drwxr-xr-x 12 0 0 Tue Jan 15 08:45:00 2019 2048 ..

    -rw-r--r-- 1 0 0 Sat Jan 12 00:06:30 2019 2377 apn-dev-cert.pem

    -rw-r--r-- 1 0 0 Sat Jan 12 00:06:30 2019 1859 apn-dev-key.pem

    -rw-r--r-- 1 0 0 Sat Jan 12 00:06:30 2019 8964 apn-dis-cert.pem

    -rw-r--r-- 1 0 0 Sat Jan 12 00:06:30 2019 4482 apn-dis-key.pem

  2. Rename all current Apple certificates.

    Apple push notification no longer works after you rename the certificates.

    /data/etc/apns # mv apn-dis-cert.pem apn-dis-cert.pem.save

    /data/etc/apns # mv apn-dev-key.pem apn-dev-key.pem.save

    /data/etc/apns # mv apn-dev-cert.pem apn-dev-cert.pem.save

    /data/etc/apns # mv apn-dis-key.pem apn-dis-key.pem.save

    /data/etc/apns # ls -al

    drwxr-xr-x 2 0 0 Tue Jan 15 08:51:15 2019 1024 .

    drwxr-xr-x 12 0 0 Tue Jan 15 08:45:00 2019 2048 ..

    -rw-r--r-- 1 0 0 Sat Jan 12 00:06:30 2019 2377 apn-dev-cert.pem.save

    -rw-r--r-- 1 0 0 Sat Jan 12 00:06:30 2019 1859 apn-dev-key.pem.save

    -rw-r--r-- 1 0 0 Sat Jan 12 00:06:30 2019 8964 apn-dis-cert.pem.save

    -rw-r--r-- 1 0 0 Sat Jan 12 00:06:30 2019 4482 apn-dis-key.pem.save

  3. Run a FortiGuard update, and verify that all certificates are installed again:

    /data/etc/apns # ls -al drwxr-xr-x 2 0 0 Tue Jan 15 08:56:20 2019 1024 .

    drwxr-xr-x 12 0 0 Tue Jan 15 08:56:15 2019 2048 ..

    -rw-r--r-- 1 0 0 Sat Jan 12 00:06:30 2019 2377 apn-dev-cert.pem.save

    -rw-r--r-- 1 0 0 Sat Jan 12 00:06:30 2019 1859 apn-dev-key.pem.save

    -rw-r--r-- 1 0 0 Tue Jan 15 08:56:20 2019 2167 apn-dis-cert.pem <--- downloaded from FortiGuard

    -rw-r--r-- 1 0 0 Sat Jan 12 00:06:30 2019 8964 apn-dis-cert.pem.save

    -rw-r--r-- 1 0 0 Tue Jan 15 08:56:20 2019 1704 apn-dis-key.pem <--- downloaded from FortiGuard

    -rw-r--r-- 1 0 0 Sat Jan 12 00:06:30 2019 4482 apn-dis-key.pem.save

    -rw-r--r-- 1 0 0 Tue Jan 15 08:56:20 2019 41 apn-version.dat <--- downloaded from FortiGuard

    /data/etc/apns #