GSX API Certificates

As part of the onboarding process for CheckIn, users are provided instructions for generating the API Certificates required for GSX access. When CheckIn is set up, these are installed at System Library > FIleMaker Server > Data > GSX.

Note that these API certificates expire after about 24 months, and will need to be recreated, following the same process that was used to generate them (detailed below). We recommend setting a Calendar Alert with a long lead time and multiple alerts to make sure the API Certificates are updated before they expire.

To check the expiration date for your API Certificate (assuming it is in the same location where it was originally installed), use the following Terminal command:

openssl x509 -in /Library/FileMaker\ Server/Data/GSX/gsx_production.pem -text

In the first several lines of the output you'll see the following text:

Validity

            Not Before: Jan  2 20:17:07 2022 GMT

            Not After : Feb  1 20:17:06 2024 GMT

In the example above, the certificate will expire on February 1, 2024. We will lose access to GSX through CheckIn if a replacement certificate is not in place.

Generate your GSX API Certificate Request


Information You Will Need

In order to generate your privatekey and certificate request files, you will need the following information.
(Put this information together before you being the process of generating these files.)

  1. Privatekey Passphrase: A passphrase (or password) that you would like to use to protect your certificate.

  2. Two-Character Country Code: A two character abbreviation of your country's name (US, AU, CA).

  3. Full State Name: Full name of the state or province in which your business is headquartered (e.g. California, Queensland, Alberta)

  4. Full City Name: Full name of the city in which your business is headquartered (e.g. Santa Rosa, Brisbane, Calgary)

  5. Organization Name: Full name of your business (e.g. Phalanx Systems, Inc.)

  6. Organization Unit Name: As seen in Step 14 image please Leave it Blank

  7. Common Name: The common name is AppleCare-Partner-XXXXXXXXXX.Prod.apple.com, replacing XXXXXXXXXX with your 10-digit GSX Sold-To Account number. Make sure you have this correct -- Apple will deny your on-boarding request if you submit a certificate request with an incorrect common name
    (e.g. AppleCare-Partner-0008644927.Prod.apple.com).

  8. Contact Email: The email address of one of your GSX Administrators (e.g. bill@yourcompany.com).


Generate your Privatekey

1. Open Terminal, paste in the following command, and press Return:

openssl genrsa -aes256 -out privatekey.pem 2048

2. Terminal will prompt you to enter a passphrase for your privatekey.

3. Enter the passphrase you chose in the steps above and press the Return key on your keyboard. Do Not lose this password -- it will be needed again for setup!

4. Terminal will ask you to verify the passphrase by typing it in again.

5. Re-enter the passphrase you chose in the steps above and press press Return.

6. A file named "privatekey.pem" will be placed in the current user's home folder.



Generate your Certificate Request

1. Open Terminal, paste in the following command, and press the Return:

openssl req -new -sha256 -key privatekey.pem -out certreq.csr

2. Terminal will prompt you to enter the passphrase for the privatekey you generated in the steps above. Enter the passphrase you chose in the steps above and press Return.

3. Terminal will prompt you to enter your "Country Name (2 letter code)". Enter the two-letter Country Code from the steps above and press Return.

4. Terminal will prompt you to enter your "State or Province Name (full name)". Enter the Full State Name from the steps above and press Return.

5. Terminal will prompt you to enter your "Locality Name (eg, city)". Enter the Full City Name from the steps above and press Return.

6. Terminal will prompt you to enter your "Organization Name (eg, company)". Enter the Organization Name from the steps above and press Return.

7. Terminal will prompt you to enter your "Organizational Unit Name (eg, section)". Leave this blank and press the Return key to skip it.

8. Terminal will prompt you to enter your "Common Name (eg, fully qualified host name)". Enter the Common Name from the steps above and press Return.

9. Terminal will prompt you to enter your "Email Address". Enter the Email Address from the steps above and press Return.

10. Terminal will prompt you to enter "A challenge password". Leave this blank and press the Return key to skip it.

11. A file named "certreq.csr" will be placed in the current User's home folder.

Both of the files you have generated will have been created in the current User's home folder. Store these files, along with your chosen privatekey passphrase, somewhere you will know to find them. Do not lose either of these files or your chosen privatekey passphrase! If you lose any of these items, you will have to restart the entire certificate request process over again.



Send your On-Boarding Request to Apple

Send an email to the GSX Web Services Team (gsxws@apple.com) requesting to renew your GSX RESTful API Certificate. Be sure to attach the CSR file you generated in the steps above to your email. (You also need to copy your Apple Service Account Manager, as well.)


Information You Will Need:

  1. GSX Sold-To Account Number: The full, 10-digit GSX Sold-To Account for your company provided to you by Apple.

  2. Primary IT Contact's Name: The GSX Administrator on your account who you want to be the primary contact between your company and Apple about API-related communications.

  3. Primary IT Contact's Email: The email address that corresponds to the employee above.

  4. Primary IT Contact's Phone Number - The phone number that corresponds to the employee above.

  5. Primary Business Contact Name(s) for API-Related Communications:  Names of employees who you would like to have receive important API Communications from Apple.

  6. Primary Business Contact Email Address(es) for API-Related Communications: The email addresses that correspond to the employees above.

  7. Static Public IPs for ALL Locations using CheckIn with GSX APIs: The static public IP addresses for any and all locations that will be using the GSX APIs.

  8. The "certreq.csr" file you created in the steps above.


Example E-Mail Template

The following is the proper format for the email you will send to GSX Web Services. This email must be sent from a corporate email address. If the sender is not a GSX Administrator in MyAccess, be sure to copy someone who is. Make sure to also copy your Field Rep.

Subject: Your Sold-To Account Number - Your Company Name - GSX Certificate Expiration

Message Body:
GSX Sold-to account number: 0000000000
Primary IT contact’s name: GSX Admin Name
Primary IT contact’s email: gsxadmin@yourdomain.com
Primary IT contact’s phone number: 123-456-7890
Primary business contact name(s) for API related communications: gsxadmin@yourdomain.com

Third-party Integration Solution: CheckIn

We are currently using GSX API Integration and our certificate is set to expire next month.

Our Sold-To account number is 0000000000

Please find attached a copy of our new CSR file.

Email Attachment: The "certreq.csr" file you created in the steps above.


Installing the replacement Certificate

Once you receive a replacement file from Apple, follow these steps:


1. Duplicate the file sent to you by Apple.

2. Open both the duplicate file you've just created and privatekey.pem in TextEdit.

3. Copy the contents of privatekey.pem and paste them at the top of the other file, above any content. You should have a file that looks like this.
Image Placeholder


3. Save the file with the name gsx_production.pem. Make sure you save it as a PEM file, and not a TXT file.

4. Move this file to System Library > FIleMaker Server > Data > GSX.

5. Select the folder System Library > FIleMaker Server > Data in Finder, and Get Info. Without changing Users and Permissions, use the controls at the bottom left to select "Apply to enclosed items..."