How to establish a SecIdentityRef in an iPhone keychain ? (Without a .p12)

About

Asked 22/11, 2010 at 1:48 Answered 9/4, 2012 at 12:42

How do you create a SecIdentityRef in an iPhone keychain if 1) you already have the private key in the keychain and 2) you have just received the certificate from a CA?

SecPKCS12Import does not help in this case unless there is an API to create a .p12 from a private key and a certificate.

SecIdentityCreateWithCertificate would be the answer on the Mac but it does not exist on the iPhone.

Is it possible using SecItemAdd ? http://developer.apple.com/library/ios/#documentation/Security/Reference/keychainservices/Reference/reference.html

many thanks, Andrew

Tertiary answered 22/11, 2010 at 1:48 Comment(1)

Poor me; I have the exactly same problem and I can see this question is unanswered for years. Did you resolved the issue ? – Eurhythmy 4/4, 2012 at 16:37

OK, to answer my own question:

On iOS the keychain will automatically bound the certificate to the private key. That means you only need to:

Generate the key pair
Get a certificate that matches the private key
Insert the certificate into the keychain.

After this you should be able to get a SecIdentityRef for the certificate / private key.

IMPORTANT: SecItemAdd function allows you to insert the certificate data directly (NSData of the DER representation). This way you will be able to get a valid certificate reference, but not an identity ref.
The right way to insert the certificate is to first use the SecCertificateCreateWithData function over the DER bytes of the certificate. This will return a SecCertificateRef object which then should be used to persist the certificate into the keychain using the SecItemAdd function.

I hope this will make someone's life easier ;-)

Regards, Pece

Eurhythmy answered 9/4, 2012 at 12:42 Comment(7)

Note to self: stuff marked IMPORTANT is important. Really. – Jessie 13/9, 2014 at 15:51

It's also important to specify the kSecAttrApplicationTag attribute when you're finally obtaining the SecIdentityRef using SecItemCopyMatching. The tag must be the same as you've specified when you were generating the keys pair. You can still get some signing identity even if you do not specify the tag, but it seems to be incomplete or wrong: if you try to extract a private key from it, it will return a public one instead. I'm experiencing this on iOS9.3 – Cleotildeclepe 23/3, 2016 at 16:23

I think it's worth adding that there is not way of generating the key pair with third party libs (e.g. openssl) and adding those to the keychain without using pkcs12 as an intermediate format for use in SecPKCS12Import() – Oberon 7/10, 2016 at 10:12

THIS LAST POINT by @Oberon IS SUPER HELPFUL and IMPORTANT – Clabo 12/2, 2019 at 21:51

Need help on this, this is great, storing the cert, but the Identity, to create the NSURLCredential I don't know how to get or where to get, I assume it's in the keystore with my cert, but not sure how to tell. if I store a key into the keystore, what makes it link to the cert??? There is no documentation on this anywhere. Been on problem 80+ hours now. – Bis 20/3, 2020 at 22:40

"After this you should be able to get a SecIdentityRef for the certificate / private key." umm.. how do you get the SecIdentityRef - it's the SecKeyRef and SecCertificateRef together - based on what Apple Documentation reads. can anyone provide example of this??? @pmiolsev – Bis 21/3, 2020 at 1:35

same question as @Bis - how do I get the SecIdentityRef? – Movement 14/5, 2021 at 20:35

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags