Hey everyone, I think I might have just messed up our entire Apple fleet deployment. Our APNs certificate was about to expire, so I went to the Apple portal to sort it out. I generated the CSR from Hexnode, logged into Apple, and created a new certificate to upload back into Hexnode. But the moment I hit upload, the portal threw an Invalid Certificate: The uploaded certificate does not match the original configuration alert. Now nothing is syncing. I am terrified I have broken the connection to all our iOS and Mac devices.
11 Views
Replies (3)
Marked SolutionPending Review
Participant
1 month ago
Apr 28, 2026
Marked SolutionPending Review
Oh man; take a deep breath; I did the exact same thing last year! The root cause is that you clicked Create a Certificate instead of Renew in the Apple Push Certificates Portal. When you create a new one, Apple generates a brand new UID string. Hexnode intentionally blocks this upload because overwriting the old UID permanently breaks the cryptographic trust with your currently enrolled devices; which would force a factory reset across your whole fleet.
The good news is you can safely rectify this as long as you still have access to the original Apple ID. Here is what you need to do; first, go into your Hexnode portal under Admin then APNs and note down the Unique Identifier string. Then, log back into identity.apple.com/pushcert with the correct Apple ID. Click the little i info button next to your active certificates until you find the one where the UID perfectly matches what you see in Hexnode. Once you find that exact match, click Renew on that specific certificate, upload your CSR from Hexnode, download the new .pem file, and upload it to Hexnode. That will fix the mismatch and restore your sync!
Marked SolutionPending Review
Participant
4 weeks ago
Apr 29, 2026
Marked SolutionPending Review
Hey, thanks. Devices are syncing again!
Quick follow up question for you though; our network team recently updated our firewall rules, and a few of our Macs were already having trouble installing profiles even before my certificate mishap. The Hexnode console just says the MDM client cannot connect to the server. Could this be related to the APNs certificate; or is it a separate network issue?
Marked SolutionPending Review
Participant
4 weeks ago
Apr 29, 2026
Marked SolutionPending Review
That sounds like a completely separate firewall problem. Hexnode does not directly talk to the devices; it actually tells the APNs gateway to wake them up. If your network team blocked outbound connections to Apple notification servers, the devices cannot establish that trust. You should have your network admins check if they accidentally blocked ports 5223 and 443 for *.push.apple.com. You can even test this yourself by running a quick terminal command on one of the affected Macs like nc -zv courier.push.apple.com 5223. If it returns a connection refused or timeout; you know the firewall is definitely the culprit!
Save
