Renew MDM CSR Certificate - micromdm/micromdm GitHub Wiki

Renew Push Certificates

Apple Push Certificates need be renewed every 12 month to keep MDM working. Expired push certificate will cause current communication between MDM and devices break, and require re-enrollment.

It’s important to renew it before expired.

You can check current certificate expiration date and renew it at https://identity.apple.com/pweb/

Follow steps to renew every 11 month.

  1. ssh to mdm server
  2. backup current mdm-certificates folder
mv mdm-certificates mdm-certificates-backup
  1. create new VendorPrivateKey.key file and VendorCertificateRequest.csr file under mdm-certificates folder
mdmctl mdmcert vendor -password=xxxxx -country=US [email protected]
  1. go to Apple Developer Site with your developer apple id.
  2. Create new MDM CSR Certificate

  • Go to Certificates, Identifiers & Profiles and click on the + button for Certificates.

  • Under Services select MDM CSR and hit the Continue button

  • Upload the VendorCertificateRequest.csr file and you will now be taken to the download page to download your mdm.cer file.

  1. create a new PushCertificatePrivateKey.key file and PushCertificateRequest.csr file in the mdm-certificates folder
mdmctl mdmcert push -password=xxxxx -country=US [email protected]
  1. Sign Push Certificate Request using mdm.cer certificate from step 5.
mdmctl mdmcert vendor -sign -cert=./mdm-certificates/mdm.cer -password=xxxxx
  1. Submit plist to Apple

  • Login to https://identity.apple.com/pweb/ use apple id

  • Make sure RENEW the certificate you want to renew, do not revoke and create a new one

  • Upload PushCertificateRequest.plist file from step 7.

  • Download .pem file

  • Save and rename .pem file to MDM server ~/mdm-certificates/my.pem

  1. Upload the certificate to MDM
mdmctl mdmcert upload \
    -cert mdm-certificates/my.pem \
    -private-key mdm-certificates/PushCertificatePrivateKey.key \
    -password=xxxxx
  1. In order to update Apple Business Manager(ABM), you will need to export new dep-tokens
mdmctl get dep-tokens -export-public-key /tmp/DEPPublicKey.pem
  1. go to Apple Business Manager login using apple id, edit your MDM Server and upload new public key DEPPublicKey.pem from step 10, then download the server token .p7m file
  2. import new .p7m DEP tokens to MDM
mdmctl apply dep-tokens \
    -import /path/to/downloaded.p7m
  1. You can verify DEP account
mdmctl get dep-account
  1. Restart MDM service
sudo systemctl daemon-reload
sudo systemctl restart micromdm.service
  1. Optional verify server running correctly by tailing the log
sudo journalctl -u micromdm.service -f
  1. Setup calendar to remind you next renewal