Hi Argun, Thank you for your quick response and detailed explanation. One question for clarification: I attempted to test the sandbox endpoint (api.sandbox.push.apple.com) by sending push notifications, and I noticed that push notifications were still successfully delivered even after I removed both the old AAA Certificate Services root CA and the new SHA-2 Root: USERTrust RSA Certification Authority certificate from my provider server. To properly validate that the new certificate is required and working as intended, I’d like to understand the best approach. Specifically: How can I ensure that the absence of the new certificate prevents notifications, and its presence enables them? Are there additional steps required to configure my environment for this validation? I want to ensure that the new certificate is installed and functioning correctly before the production cut-off date. Thank you for your guidance! Best regards, Do Hyung

It was due to how Windows handles root certificates. Even after removing both certificates, notifications still worked because Windows automatically manages root certificates through its Trusted Root Certificate Program. Once I explicitly disabled the certificate purposes for the AAA Certificate Services certificate, push notifications stopped working, confirming the dependency. Thanks for the help.