Which Root CA certs required for Apple's 3/29/21 HTTP/2 cert change?
I've dug around and found several related questions mostly about Azure or Firebase, however, there are some users (myself being one of them) that directly send HTTP/2 push notification data to Apple.
Do we need all three Root CA's installed OR do we only need AAACertificateServices 5/12/2020?
On 2/10/21, we got the following email:
On March 29, 2021, token and certificate-based HTTP/2 connections to the Apple Push Notification service must incorporate the new root certificate (AAACertificateServices 5/12/2020) which replaces the old GeoTrust Global CA root certificate. To ensure a seamless transition and to avoid push notification delivery failures, verify that both the old and new root certificates for the HTTP/2 interface are included in the Trust Store of each of your notification servers before March 29.
Note that Apple Push Notification service SSL provider certificates issued to you by Apple do not need be to updated at this time.
Learn more about connecting to APNs.
If you have any questions, contact us.
Best regards, Apple Developer Relations
On the page linked above (also here) there are three certificates listed for download:
The Comodo RSA and USERTrust RSA certificates both have certification path dependencies on AAA Certificate Services:
Do we need all three Root CA's installed OR do we only need AAACertificateServices 5/12/2020?
Thank you!
In the mail you received the link is named (AAACertificateServices 5/12/2020), so this is the only certificate you need.
You can look also in the another link in the mail: Learn more about connecting to APNs. There is more info under Establish a Trusted Connection to APNs section.
Edit:
See also this answer at Developer Forums.