Login/Register
In the context of APNs, does p8 and p12 mean token and certificate based authentication respectively?
Asked Answered
Solved authenticationapple-push-notifications
T

2

17

From what I know, PKCS 8 is often used to store private keys, and PKCS 12 is often used to store certificates.

And to communicate with APNs, you need authentication tokens or certificates.

https://developer.apple.com/library/content/documentation/NetworkingInternet/Conceptual/RemoteNotificationsPG/CommunicatingwithAPNs.html

Does that mean those .p8 files are keys used to create tokens, and those .p12 files are used as certificates?

Thomson answered 12/9, 2017 at 9:53 Comment(0)
U
16

Yes. Apple Push Notification Authentication Key (P8 format) is used to generate Server side tokens. You do not need a certificate here. (This is mainly used when you have multiple apps under the same account as this key is same for all the apps unlike certificates). So using a same connection, your provider can talk to multiple apps using a mandatory 'authorization' header. Every post request gets validated henceforth by APNS cloud using this header.

P12 format exist for generating Certificates for authenticating provider against a particular AppID. Here for every individual app, a separate certificate is required. You do not need 'authorization' header here as connection itself is authenticated.

I hope it helps.

Unsightly answered 12/9, 2017 at 11:43 Comment(2)
Thank you. So now I can reuse the connection to send notifications to different apps. That makes sense. The only question is, why don't they design it like that in the first place.Thomson
True. But it's evolving. Previously there used to be certificate per topic, then came multi-topic certificate, then same multi-topic certificate for production & development, & now same key for account ID. :)Unsightly
M
14

.p8 is a key

The .p8 is an authentication token signing key, or simply, key. Your server can use this to authenticate with APNs. You can use this to create a JWT token (A few objects encoded and signed) and send this to APNs to authenticate. Specifically you use the .p8 to sign the JWT payload/ token, and append this signature to the JWT, and then encrypt it (Signed, then Encrypted). More information available in Communicate with APNs using authentication tokens and Establishing a Token-Based Connection to APNs. The way you would create the token is documented in Communicating with APNs. For example, the JWT must be encrypted, and it must be less than 1 hour old. It provides access to all applications, so you must use the apns-topic request header to specify the application.

.p12 is a certificate

The .p12 is a certificate. If your system has this certificate installed, it can use TLS and identify as you, so there's no further authentication needed. More information available in Communicate with APNs using a TLS certificate. It provides access to one app.

A good resource is Communicating with APNs.

Does that mean those .p8 files are keys used to create tokens,

Yes

and those .p12 files are used as certificates?

Yes

Meta answered 28/6, 2021 at 8:39 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.