iOS p12 certificate generation

Sending push notifications to iOS apps requires an authenticated connection to Apple Push Notification service (APNs). You can authenticate using a token-based (.p8 key) or a certificate-based (.p12 file) method — only one is necessary. This guide covers the certificate-based (.p12 file) method. This is not recommended because you must renew it annually, which requires generating a new certificate in your Apple Developer Account and re-uploading it to your OneSignal dashboard.

---

​

Requirements

Make sure you have the following before starting:

• An iOS or macOS app.
• A Paid Apple Developer Account with Admin access.
• A OneSignal Account.
• A Mac with Xcode 14+.
• The Bundle ID for your app target as set in Xcode.
• An Xcode project with Push Notification capability enabled.

---

​

Create a Certificate Signing Request (CSR)

You first need to create a .certSigningRequest file on macOS.

1. Open Applications > Utilities > Keychain Access.
2. From the menu bar, click Keychain Access > Certificate Assistant > Request a Certificate From a Certificate Authority…

3. Fill in the required fields:
   • User Email Address: [email protected]
   • Common Name: Your name or the name for the certificate
   • CA Email Address: Leave this blank
   • Request is: Select Saved to disk

4. Click Continue, choose a location to save the .certSigningRequest file, and click Save.

---

​

Enable push capabilities for the app

1. Go to the Identifiers section of the Apple Developer portal, locate and select your app’s App ID from the list.

2. Enable the Push Notifications capability by checking the box.

---

​

Create a push certificate

Follow these steps to generate the Apple Push Notification service (APNs) SSL certificate:

1. Visit the Apple Certificates page.
2. Click the plus (+) button to create a new certificate.
3. Under Services, select:
   • Apple Push Notification service SSL (Sandbox & Production)
   • Then click Continue
   
4. Select your App ID from the list and click Continue.

5. Upload your previously generated .certSigningRequest file.

6. Click Continue, then click Download to save the resulting .cer file to your computer.

You’ll use this .cer file in the next section to create your .p12 certificate.

---

​

Create a private key and export the .p12 certificate

1. Double-click the downloaded .cer file to import it into Keychain Access.
2. In Keychain Access, navigate to:
   • Keychains > Login
   • Category > My Certificates
3. Locate the certificate named Apple Push Services.
4. Right-click the certificate and select Export.

5. Choose a location to save the file, and select the file format as .p12.
6. When prompted, set a password for the .p12 file. You will need this password when uploading to OneSignal.

---

​

Upload the .p12 to OneSignal

1. In your OneSignal dashboard, go to your app > Settings > Push & In-App > Apple iOS.
2. Upload the .p12 file (and enter the password if you set one). Click Save.

---

​

.p12 troubleshooting

​

Invalid certificate format error

Cause: The uploaded file is not in .p12 format. Fix: Ensure you export the certificate from Keychain Access as .p12 (not .cer or .pem).

​

”Incorrect password” when uploading to OneSignal

Cause: Password was entered incorrectly or not set. Fix:

• Try exporting again and set a new password.
• Ensure no extra spaces are added when pasting.
• If using Provisionator, the password is shown in the UI.

​

Missing private key in exported file

Cause: Certificate was imported but not paired with a private key. Fix:

• Make sure you generate the CSR from Keychain Access on the same machine.
• After downloading the .cer file, double-click to install and check if the key appears under My Certificates.

​

Push notifications not working after upload

Cause: Incorrect App ID, or Provisioning Profile missing capabilities. Fix:

• Confirm the .p12 matches the App ID used in the app.
• In Apple Developer Portal, ensure the App ID has Push Notifications enabled.
• Make sure the Provisioning Profile includes Push.

​

Expired certificate

Cause: .p12 certificate is no longer valid. Fix:

• Go to Apple Developer > Certificates and check expiry.
• Revoke the old certificate and create a new one.

---

​

Next steps

---

​

FAQ

​

When does my .p12 certificate expire, and how do I renew it?

.p12 certificates expire one year after creation. To renew, generate a new CSR, create a new push certificate in Apple Developer, export it as .p12, and re-upload it to your OneSignal dashboard. Set a calendar reminder to avoid disruption. Alternatively, switch to a .p8 key, which does not expire.

​

Should I use .p8 or .p12?

OneSignal recommends .p8 keys for most apps. A .p8 key does not expire, works across all apps under your Apple Developer account, and is simpler to manage. A .p12 certificate is app-specific and must be renewed annually. See the .p8 key guide for setup instructions.

​

Do I need a provisioning profile, and how do I create one?

Yes, Apple requires different types of profiles for development, testing (Ad Hoc), and distribution to the App Store. In Xcode, select Automatically manage signing to create one automatically. Otherwise, see Apple’s docs on provisioning profiles for details.

---