Page tree
Skip to end of metadata
Go to start of metadata


In order to communicate with Apple devices, CapaInstaller relies on the Apple Push Notification service (APNs). The APNs requires that each service identifies itself by using a certificate issued by Apple, ensuring that only authorized services can contact Apple devices.

Before an APNs certificate can be issued using the Apple Push Certificate Portal, a certificate request must be generated and signed by an authorized MDM vendor, in this case, CapaSystems A/S. 

To upload the certificate request to Apple, an Apple ID is required. It is strongly recommended that a unique Apple ID is created for this purpose, DO NOT use your personal Apple ID for this.

Apple Push Notification Service Update

Apple has announced a new protocol must be used for the Apple Push Notification service as of March 29th, 2021 as well a new root certificate must be incorporated in the MDM solution.

In CapaInstaller 6.1 both have been implemented. To make installations simpler and easier to maintain, Apple Push Certificate in CapaInstaller 6.1 is uploaded to CapaInstaller's Cloud service - the certificate is no longer installed on MDM server(s). The certificate is uploaded to CapaInstaller MDM Portal.

Upgrading from CapaInstaller 6.0 to CapaInstaller 6.1

In CapaInstaller 6.1 Push messages for Apple and Android are sent from CapaOne and new features are available only on the MDM Portal. To link between your installation and CapaOne you must have a Portal  Access Token in the console.

Check if you already have a Portal Access Token:

Portal Access Token

Open System Administration module in CapaInstaller Console, select Software Accounts and then select CapaOne. 

If you have a Portal Access Token you don't need to do further.

When you upgrade to CapaInstaller 6.1, you must upload the Apple Push Notification Certificate to 

To generate a new APN Certificate follow the Apple Push Certificate Request from CapaInstaller Console. Uploading the certificate is done automatically. Just follow the guide below.

 Request and generate or update an Apple Push Certificate


In the "System Administration" module, select menu item "Actions", then select "Apple Push Certificate request.."


Wizard starts, press the "Next" button to proceed


If the "Verify OpenSSL" isn't status Passed go to Install OpenSSL

If the "Verify access to CapaInstaller certificate request signing service" isn't status passed you must:

First, try to open a browser on the machine from which you run this wizard. Open the following URL:

Ensure that port 7000 is opened from the CapaInstaller server out to the internet. The certificate request signing service is placed on a CapaInstaller server at port 7000.


Select an output folder. Press the "Start" button, and click "Next" when the certificate request is finished

5Now you have created the certificate request which has been signed by CapaSystems and stored in the previously selected output folder

Press the "Open Apple Push Certificates Portal"


Log in with your Apple Push Certificates Portal account


Press the "Renew" tab


If this disclaimer appears then just accept it


Press "Choose File" and select the file named: plist_encoded, it is stored in the output directory, and click "upload"


Now you should get the real certificate as shown in the picture.

First, you should open your calendar and insert an alert that will expire a month before the certificate's expiring date. This will help you recall when to get a new certificate.


You should now press the "Create Certificate File" button in the CapaInstaller certificate Wizard in order to continue the certificate issuing process.


In the "Apple certificate File" select the certificate downloaded from the Apple push Cert page. (Named: MDM_something.pem)

When that is done, press the start tab and then click next


Now you have the Apple Push Certificate in your output folder (File extension is pfx)


A new Apple Push Certificate has been generated and uploaded to CapaOne.


Logon to and select Certificates


Check the certificate is uploaded and valid

  • No labels