Fortinet Document Library

Version:


Table of Contents

New Features

6.2.0
Download PDF
Copy Link

FortiGuard Distribution of Updated Apple Certificates (for token push notifications)

Push notifications for iPhone (for the purpose of two-factor authentication) require a TLS server certificate to authenticate to Apple. Since this certificate is only valid for one year, a new service extension allows FortiGuard to distribute updated TLS server certificates to FortiGate when needed.

FortiGuard update service will update local Apple push notification TLS server certificates when the local certificate is expired. FortiGuard update service will also reinstall certificates when the certificates are lost.

You can verify that the feature works on the FortiGate by using the CLI shell.

To verify certificate updates:
  1. Using FortiOS CLI shell, verify that all certificates are installed:

    /data/etc/apns # ls -al

    drwxr-xr-x    2 0        0       Tue Jan 15 08:42:39 2019             1024 .

    drwxr-xr-x   12 0        0       Tue Jan 15 08:45:00 2019             2048 ..

    -rw-r--r--    1 0        0       Sat Jan 12 00:06:30 2019             2377 apn-dev-cert.pem

    -rw-r--r--    1 0        0       Sat Jan 12 00:06:30 2019             1859 apn-dev-key.pem

    -rw-r--r--    1 0        0       Sat Jan 12 00:06:30 2019             8964 apn-dis-cert.pem

    -rw-r--r--    1 0        0       Sat Jan 12 00:06:30 2019             4482 apn-dis-key.pem

  2. Rename all current Apple certificates.

    Apple push notification no longer works after you rename the certificates.

    /data/etc/apns # mv apn-dis-cert.pem apn-dis-cert.pem.save

    /data/etc/apns # mv apn-dev-key.pem apn-dev-key.pem.save

    /data/etc/apns # mv apn-dev-cert.pem apn-dev-cert.pem.save

    /data/etc/apns # mv apn-dis-key.pem apn-dis-key.pem.save

    /data/etc/apns # ls -al

    drwxr-xr-x    2 0        0       Tue Jan 15 08:51:15 2019             1024 .

    drwxr-xr-x   12 0        0       Tue Jan 15 08:45:00 2019             2048 ..

    -rw-r--r--    1 0        0       Sat Jan 12 00:06:30 2019             2377 apn-dev-cert.pem.save

    -rw-r--r--    1 0        0       Sat Jan 12 00:06:30 2019             1859 apn-dev-key.pem.save

    -rw-r--r--    1 0        0       Sat Jan 12 00:06:30 2019             8964 apn-dis-cert.pem.save

    -rw-r--r--    1 0        0       Sat Jan 12 00:06:30 2019             4482 apn-dis-key.pem.save

  3. Run a FortiGuard update, and verify that all certificates are installed again:

    /data/etc/apns # ls -al drwxr-xr-x    2 0        0       Tue Jan 15 08:56:20 2019             1024 .

    drwxr-xr-x   12 0        0       Tue Jan 15 08:56:15 2019             2048 ..

    -rw-r--r--    1 0        0       Sat Jan 12 00:06:30 2019             2377 apn-dev-cert.pem.save

    -rw-r--r--    1 0        0       Sat Jan 12 00:06:30 2019             1859 apn-dev-key.pem.save

    -rw-r--r--    1 0        0       Tue Jan 15 08:56:20 2019             2167 apn-dis-cert.pem            <---  downloaded from FortiGuard

    -rw-r--r--    1 0        0       Sat Jan 12 00:06:30 2019             8964 apn-dis-cert.pem.save

    -rw-r--r--    1 0        0       Tue Jan 15 08:56:20 2019             1704 apn-dis-key.pem           <---  downloaded from FortiGuard

    -rw-r--r--    1 0        0       Sat Jan 12 00:06:30 2019             4482 apn-dis-key.pem.save

    -rw-r--r--    1 0        0       Tue Jan 15 08:56:20 2019               41 apn-version.dat               <---  downloaded from FortiGuard

    /data/etc/apns #

FortiGuard Distribution of Updated Apple Certificates (for token push notifications)

Push notifications for iPhone (for the purpose of two-factor authentication) require a TLS server certificate to authenticate to Apple. Since this certificate is only valid for one year, a new service extension allows FortiGuard to distribute updated TLS server certificates to FortiGate when needed.

FortiGuard update service will update local Apple push notification TLS server certificates when the local certificate is expired. FortiGuard update service will also reinstall certificates when the certificates are lost.

You can verify that the feature works on the FortiGate by using the CLI shell.

To verify certificate updates:
  1. Using FortiOS CLI shell, verify that all certificates are installed:

    /data/etc/apns # ls -al

    drwxr-xr-x    2 0        0       Tue Jan 15 08:42:39 2019             1024 .

    drwxr-xr-x   12 0        0       Tue Jan 15 08:45:00 2019             2048 ..

    -rw-r--r--    1 0        0       Sat Jan 12 00:06:30 2019             2377 apn-dev-cert.pem

    -rw-r--r--    1 0        0       Sat Jan 12 00:06:30 2019             1859 apn-dev-key.pem

    -rw-r--r--    1 0        0       Sat Jan 12 00:06:30 2019             8964 apn-dis-cert.pem

    -rw-r--r--    1 0        0       Sat Jan 12 00:06:30 2019             4482 apn-dis-key.pem

  2. Rename all current Apple certificates.

    Apple push notification no longer works after you rename the certificates.

    /data/etc/apns # mv apn-dis-cert.pem apn-dis-cert.pem.save

    /data/etc/apns # mv apn-dev-key.pem apn-dev-key.pem.save

    /data/etc/apns # mv apn-dev-cert.pem apn-dev-cert.pem.save

    /data/etc/apns # mv apn-dis-key.pem apn-dis-key.pem.save

    /data/etc/apns # ls -al

    drwxr-xr-x    2 0        0       Tue Jan 15 08:51:15 2019             1024 .

    drwxr-xr-x   12 0        0       Tue Jan 15 08:45:00 2019             2048 ..

    -rw-r--r--    1 0        0       Sat Jan 12 00:06:30 2019             2377 apn-dev-cert.pem.save

    -rw-r--r--    1 0        0       Sat Jan 12 00:06:30 2019             1859 apn-dev-key.pem.save

    -rw-r--r--    1 0        0       Sat Jan 12 00:06:30 2019             8964 apn-dis-cert.pem.save

    -rw-r--r--    1 0        0       Sat Jan 12 00:06:30 2019             4482 apn-dis-key.pem.save

  3. Run a FortiGuard update, and verify that all certificates are installed again:

    /data/etc/apns # ls -al drwxr-xr-x    2 0        0       Tue Jan 15 08:56:20 2019             1024 .

    drwxr-xr-x   12 0        0       Tue Jan 15 08:56:15 2019             2048 ..

    -rw-r--r--    1 0        0       Sat Jan 12 00:06:30 2019             2377 apn-dev-cert.pem.save

    -rw-r--r--    1 0        0       Sat Jan 12 00:06:30 2019             1859 apn-dev-key.pem.save

    -rw-r--r--    1 0        0       Tue Jan 15 08:56:20 2019             2167 apn-dis-cert.pem            <---  downloaded from FortiGuard

    -rw-r--r--    1 0        0       Sat Jan 12 00:06:30 2019             8964 apn-dis-cert.pem.save

    -rw-r--r--    1 0        0       Tue Jan 15 08:56:20 2019             1704 apn-dis-key.pem           <---  downloaded from FortiGuard

    -rw-r--r--    1 0        0       Sat Jan 12 00:06:30 2019             4482 apn-dis-key.pem.save

    -rw-r--r--    1 0        0       Tue Jan 15 08:56:20 2019               41 apn-version.dat               <---  downloaded from FortiGuard

    /data/etc/apns #