Resore Previous APNS Certificate?

jpellet2
New Contributor III

I have put in a support ticket for this as well but just in case the community can answer before they can get to it, I'll post the same question here.

Back in January we were troubleshooting an issue where Casper wasn't communicating with Apple's DEP servers for whatever reason. During troubleshooting one of our techs deleted the APNS certificate and generated a new one. That's all well and good except that none of the 300+ devices using that certificate will now communicate with Casper. Of course we just realized that this is an issue after needing to run a report and capture data that we now don't have. Fortunately/unfortunately the Casper server is a VM and we have a snapshot of the machine from back in November. Of course we have added iOS devices since then but the deleted certificates would be in that snapshot. If I can get that snapshot up (after cloning the VM so as not to destroy the current production machine) is there a way to force that previous certificate back into the Casper system so that the iOS devices can pick it up and then update to the new cert? If so, what files/certs would I need to grab? We're on 9.x right now and I believe we were on a version of 9 back in November as well. I really hope there's something we can do here because needing to re-enroll more than 300 devices across 50 buildings is not something we'd like to do.

Along with the VM snapshot, I also have the JSS backups from November that it did when we upgraded the product to a newer version so perhaps the certs I need are there as well. The question is how to merge/add the old ones to the current production ones, assuming I can find them.

7 REPLIES 7

yan1212
Contributor

In addition to generating a new certificate, was the existing one also deleted (or expired) form Apple's portal (identity.apple.com)? If so, you may be completely out of luck unfortunately..

jpellet2
New Contributor III

It does look like the previous certificate is no longer in the portal. I only see one with JAMF next to it and that's the current one.

yan1212
Contributor

It looks like you'll have to re-enrol your devices. I believe that, if the previous certificate was revoked or left to expire, there is is no way back unfortunately..

I may (hopefully) be wrong though and someone else will have found a way?

Nick_Gooch
Contributor III

I believe @yan1212 is correct. If the cert is no longer in Apples portal or recognized by Apple then even if you do recover it from the old Casper server it shouldn't work.

BUT I don't see a way to delete a certificate in Apples Push Certificate Portal? I see that you can revoke one but not delete it. Are you sure that it's not in there anymore? I would check to see if it was created with a different Apple ID. If so just re-download it and dump it in the JSS.

edullum
Contributor

@jpellet2 Were you able to find a resolution to this issue? I am having the same issue. My APN Certificate was revoked and when I tried to renew it a few days ago my JSS server was and still is no longer talking to my devices. Did you happen to call Apple Support to see if there is a magical way to un-revoke a revoked certificate?

jpellet2
New Contributor III

We did not find a resolution that would be favorable. There is no way for Apple to restore the certs so we're at it manually right now. Fortunately its fairly simple for us to re-enroll rather than have to have our clients remove the profiles and start over. (If you've changed your payload since initial enrollment then this doesn't seem to work, however).

edullum
Contributor

@jpellet2 We were able to resolve this issue by creating a NEW APN Certificate and uploading it to the JSS. My devices are now talking to JSS without any error messages! No need for re-enrollment.