Fortinet black logo

Cookbook

FortiGuard distribution of updated Apple certificates

Copy Link
Copy Doc ID af0e75e9-211f-11ea-9384-00505692583a:777301
Download PDF

FortiGuard distribution of updated Apple certificates

Push notifications for iPhone (for the purpose of two-factor authentication) require a TLS server certificate to authenticate to Apple. As this certificate is only valid for one year, a service extension allows FortiGuard to distribute updated TLS server certificates to FortiGate when needed.

FortiGuard update service updates local Apple push notification TLS server certificates when the local certificate is expired. FortiGuard update service also reinstalls certificates when the certificates are lost.

You can verify that the feature is working on the FortiGate by using the CLI shell.

To verify certificate updates:
  1. Using FortiOS CLI shell, verify that all certificates are installed:
    /data/etc/apns # ls -al
    drwxr-xr-x    2 0        0       Tue Jan 15 08:42:39 2019          1024 .
    drwxr-xr-x   12 0        0       Tue Jan 15 08:45:00 2019          2048 ..
    -rw-r--r--    1 0        0       Sat Jan 12 00:06:30 2019          2377 apn-dev-cert.pem
    -rw-r--r--    1 0        0       Sat Jan 12 00:06:30 2019          1859 apn-dev-key.pem
    -rw-r--r--    1 0        0       Sat Jan 12 00:06:30 2019          8964 apn-dis-cert.pem
    -rw-r--r--    1 0        0       Sat Jan 12 00:06:30 2019          4482 apn-dis-key.pem
  2. Rename all current Apple certificates.

    Apple push notification no longer works after you rename the certificates.

    /data/etc/apns # mv apn-dis-cert.pem apn-dis-cert.pem.save
    /data/etc/apns # mv apn-dev-key.pem apn-dev-key.pem.save
    /data/etc/apns # mv apn-dev-cert.pem apn-dev-cert.pem.save
    /data/etc/apns # mv apn-dis-key.pem apn-dis-key.pem.save
    /data/etc/apns # ls -al
    drwxr-xr-x   2 0  0   Tue Jan 15 08:51:15 2019   1024 .
    drwxr-xr-x  12 0  0   Tue Jan 15 08:45:00 2019   2048 ..
    -rw-r--r--   1 0  0   Sat Jan 12 00:06:30 2019   2377 apn-dev-cert.pem.save
    -rw-r--r--   1 0  0   Sat Jan 12 00:06:30 2019   1859 apn-dev-key.pem.save
    -rw-r--r--   1 0  0   Sat Jan 12 00:06:30 2019   8964 apn-dis-cert.pem.save
    -rw-r--r--   1 0  0   Sat Jan 12 00:06:30 2019   4482 apn-dis-key.pem.save
  3. Run a FortiGuard update, and verify that all certificates are installed again:
    /data/etc/apns # ls -al
    drwxr-xr-x   2 0  0   Tue Jan 15 08:56:20 2019   1024 .
    drwxr-xr-x  12 0  0   Tue Jan 15 08:56:15 2019   2048 ..
    -rw-r--r--   1 0  0   Sat Jan 12 00:06:30 2019   2377 apn-dev-cert.pem.save
    -rw-r--r--   1 0  0   Sat Jan 12 00:06:30 2019   1859 apn-dev-key.pem.save
    -rw-r--r--   1 0  0   Tue Jan 15 08:56:20 2019   2167 apn-dis-cert.pem  <-- downloaded from FortiGuard
    -rw-r--r--   1 0  0   Sat Jan 12 00:06:30 2019   8964 apn-dis-cert.pem.save
    -rw-r--r--   1 0  0   Tue Jan 15 08:56:20 2019   1704 apn-dis-key.pem   <-- downloaded from FortiGuard
    -rw-r--r--   1 0  0   Sat Jan 12 00:06:30 2019   4482 apn-dis-key.pem.save
    -rw-r--r--   1 0  0   Tue Jan 15 08:56:20 2019     41 apn-version.dat   <-- downloaded from FortiGuard
    /data/etc/apns #
    

FortiGuard distribution of updated Apple certificates

Push notifications for iPhone (for the purpose of two-factor authentication) require a TLS server certificate to authenticate to Apple. As this certificate is only valid for one year, a service extension allows FortiGuard to distribute updated TLS server certificates to FortiGate when needed.

FortiGuard update service updates local Apple push notification TLS server certificates when the local certificate is expired. FortiGuard update service also reinstalls certificates when the certificates are lost.

You can verify that the feature is working on the FortiGate by using the CLI shell.

To verify certificate updates:
  1. Using FortiOS CLI shell, verify that all certificates are installed:
    /data/etc/apns # ls -al
    drwxr-xr-x    2 0        0       Tue Jan 15 08:42:39 2019          1024 .
    drwxr-xr-x   12 0        0       Tue Jan 15 08:45:00 2019          2048 ..
    -rw-r--r--    1 0        0       Sat Jan 12 00:06:30 2019          2377 apn-dev-cert.pem
    -rw-r--r--    1 0        0       Sat Jan 12 00:06:30 2019          1859 apn-dev-key.pem
    -rw-r--r--    1 0        0       Sat Jan 12 00:06:30 2019          8964 apn-dis-cert.pem
    -rw-r--r--    1 0        0       Sat Jan 12 00:06:30 2019          4482 apn-dis-key.pem
  2. Rename all current Apple certificates.

    Apple push notification no longer works after you rename the certificates.

    /data/etc/apns # mv apn-dis-cert.pem apn-dis-cert.pem.save
    /data/etc/apns # mv apn-dev-key.pem apn-dev-key.pem.save
    /data/etc/apns # mv apn-dev-cert.pem apn-dev-cert.pem.save
    /data/etc/apns # mv apn-dis-key.pem apn-dis-key.pem.save
    /data/etc/apns # ls -al
    drwxr-xr-x   2 0  0   Tue Jan 15 08:51:15 2019   1024 .
    drwxr-xr-x  12 0  0   Tue Jan 15 08:45:00 2019   2048 ..
    -rw-r--r--   1 0  0   Sat Jan 12 00:06:30 2019   2377 apn-dev-cert.pem.save
    -rw-r--r--   1 0  0   Sat Jan 12 00:06:30 2019   1859 apn-dev-key.pem.save
    -rw-r--r--   1 0  0   Sat Jan 12 00:06:30 2019   8964 apn-dis-cert.pem.save
    -rw-r--r--   1 0  0   Sat Jan 12 00:06:30 2019   4482 apn-dis-key.pem.save
  3. Run a FortiGuard update, and verify that all certificates are installed again:
    /data/etc/apns # ls -al
    drwxr-xr-x   2 0  0   Tue Jan 15 08:56:20 2019   1024 .
    drwxr-xr-x  12 0  0   Tue Jan 15 08:56:15 2019   2048 ..
    -rw-r--r--   1 0  0   Sat Jan 12 00:06:30 2019   2377 apn-dev-cert.pem.save
    -rw-r--r--   1 0  0   Sat Jan 12 00:06:30 2019   1859 apn-dev-key.pem.save
    -rw-r--r--   1 0  0   Tue Jan 15 08:56:20 2019   2167 apn-dis-cert.pem  <-- downloaded from FortiGuard
    -rw-r--r--   1 0  0   Sat Jan 12 00:06:30 2019   8964 apn-dis-cert.pem.save
    -rw-r--r--   1 0  0   Tue Jan 15 08:56:20 2019   1704 apn-dis-key.pem   <-- downloaded from FortiGuard
    -rw-r--r--   1 0  0   Sat Jan 12 00:06:30 2019   4482 apn-dis-key.pem.save
    -rw-r--r--   1 0  0   Tue Jan 15 08:56:20 2019     41 apn-version.dat   <-- downloaded from FortiGuard
    /data/etc/apns #