help: How to renew an expired APNs certificate in Hexnode UEM without breaking enrollment?Solved

Hey @bram, whatever you do, do not create a new one! If you create a new APNs certificate, it breaks management for all your already enrolled Apple devices and you will have to factory reset or re-enroll them all manually. you definitely want to renew the existing one.

I’ve done this a bunch of times. here is the workflow to renew it safely:

1. In the Hexnode console, go to Admin > APNs settings.
2. Review your existing APNs certificate details (pay attention to the expiration date and the associated Apple ID).
3. Click Renew certificate.
4. Generate and download the Hexnode-signed CSR file.
5. Open the Apple Push Certificates Portal from the renewal workflow.
6. Sign in using the exact same Apple ID that was used to create the original APNs certificate.
7. Locate the correct certificate in the Apple portal. (i always match it using the expiration date shown in hexnode to be safe).
8. Click Renew for that specific certificate and upload the hexnode-signed CSR file.
9. Download the renewed APNs certificate in .pem format from Apple.
10. Return to Hexnode and upload the .pem file to complete the renewal.

Once uploaded, Hexnode will start talking to your devices again.

Just to confirm, the Apple ID matters here, right? We have multiple company Apple IDs floating around, and i don’t want to accidentally renew the wrong certificate or accidentally create a new one while logged into the wrong account. 

Yes, the apple ID is critical. You must use the original apple ID associated with the existing APNs certificate. If you log in with a different Apple ID, you won’t even see the correct certificate available to renew. 

When you get into the Apple Push Certificates portal, just make sure you renew the cert that matches the expiration date shown in Hexnode. Renewing the existing certificate preserves the trust relationship between Hexnode, Apple, and your devices. 

Got it. I tracked down the right Apple ID, followed the renewal flow, uploaded the Hexnode-signed csr to the apple portal, downloaded the .pem file, and uploaded it back into Hexnode. The APNs certificate now shows as renewed and devices are syncing again. this worked perfectly. thanks for saving me from having to re-enroll everything!