Skip to main content

How can we help you?

Druva Documentation

How to generate and install an Apple Push Notification certificate?


This article explains how an IT Administrator can create and load an Apple Push Notification certificate, which is required for implementing inSync's Data Loss Prevention features on all enterprise mobile devices. 

The administrator needs to install OpenSSL, and generate a Certificate Signing Request (CSR). Druva Support signs the CSR, which is needed to generate a Push Certificate on the Apple site. This Push Certificate is uploaded to the inSync server. The details are explained in the article.

Before you begin

You will need an Apple ID to log in to the Apple site and generate an Apple MDM Certificate.

Read the Mobile FAQs to get an overview of how inSync uses MDM certificates.

Download and Install OpenSSL

Go to Download and install OpenSSL.



For related information, see How to set up and install a Trusted Certificate from a Certification Authority (CA).

Generate a private key

To generate a private key and get a Certificate Signing Request:

1. Open  a command prompt. Navigate to  c:\openssl-win32\bin.


2.  At the command prompt, enter the following commands to generate a private key.

Set OPENSSL_CONF=c:\openssl-win32\bin\openssl.cfg
openssl genrsa -out privatekey.pem 2048


3. Enter the following command to generate Certificate Signing Request.

openssl req -new -key privatekey.pem -outform DER -out customer.der

Enter Details for CSR

Use the name of the web server as the Common Name (CN). If the domain name is, append the domain to the host-name (use the fully qualified domain name, FQDN).The Common Name field should be the FQDN or the web address for which you plan to use your Certificate, for example, the specific area of your site you wish clients to connect to using SSL. 

For example, an SSL Certificate issued for will not be valid for If the web address to be used for SSL is, ensure that the common name submitted in the CSR is

If you are using Druva inSync Cloud the common name will be

The fields for email address, optional company name and challenge password can be left blank for a server certificate.


4. Locate the file “customer.der” in c:\openssl-win32\bin.

5. Upload it to Support Portal.

6. Druva Support will reply with an new file “plist_encoded.dat”. This is the Signed CSR.

Go to top

Create a new Push Certificate

To generate a Apple Push Certificate using the Druva CSR:

1. Go to

2. Log in with your Apple ID.

3. Create a New Push Certificate.

4. Click Choose File and select the “plist_encoded.dat” file sent by Druva Support.

5. Click Upload. 



6. Download the Apple Push Notification (APN) Certificate.

Go to top

Edit the APN certificate

You need to edit the certificate and append the SSL certificate at the end of it, in order to generate the APN certificate that is to be uploaded to the inSync Server.

To modify the APN certificate:

1. Open the APN Certificate in Notepad.


2. Locate and open the “privatekey.pem” file generated previously in c:\openssl-win32\bin and open it. Copy the contents.


3. Copy and paste the information from the “privatekey.pem” file into the APN Certificate File and save it.


This is the certificate you need to load in the inSync Server Web Panel.

Upload certificate to inSync Server

1. Open the inSync Server Management GUI.

2. Click Manage > Settings > Mobile Certificates.

3. Upload the MDM file in the APN Certificate Section. 

Go to top