Updated:
I found that I can submit the same CSR for both dev and production when creating certs for iOS push notification.
For a single app I need to create 2 certs (dev/production), so for 10 app, I need to create 20 certs – which is a nightmare for certs management and pollute my keychains, so I am thinking by submitting the same CSR (hence same private key)..just more easy to maintain the stuffs.
I want to know if any drawbacks and are you also doing the same way to reduce the effort in keys/certs management?
You don’t necessarily have to use different private keys for development and production, but you should, especially if you are working in a large team or with external developers.
Every developer that has to test the notification code will need to have access to the private key for the development certificate. If you use the same key for the production certificate you also give them access to sending notifications in the production system. It all comes down to trust – do you trust that every developer on your team won’t use the key to play mischief with your paying customers, now and forever?
If you’re working alone, or if you really trust everyone on your team completely go ahead and use a single key. But think about the consequences if someone misuses the key.