Monitor keychain certificate export

Question

Created May ’22

Replies 2

Boosts 0

Views 1k

Participants 2

Hi, I was wondering if there is a way to monitor if a certificate is exported from the keychain. Either by using some of the apis Endpoint Security provides or using another method. Thanks.

Answered by DTS Engineer in 714703022

Presumably you’re talking about a digital identity here, ’cause a certificate shouldn’t contain any private information.

AFAIK Endpoint Security has no specific mechanism for authorising the export of private keys from the keychain.

The macOS keychain does have the concept of ‘extractable’, where a key that’s not extractable can’t be exported from the keychain. And, oh look, you can set that via the KeyIsExtractable property in the com.apple.security.pkcs12 payload.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Boost

Answer 1

DTS Engineer OP

Apple

May ’22

Are you concerned about exporting a certificate? Or a digital identity?

For an explanation of the difference, see Certificate Signing Requests Explained.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 2

DTS Engineer OP

Apple

May ’22

Accepted Answer

Presumably you’re talking about a digital identity here, ’cause a certificate shouldn’t contain any private information.

AFAIK Endpoint Security has no specific mechanism for authorising the export of private keys from the keychain.

The macOS keychain does have the concept of ‘extractable’, where a key that’s not extractable can’t be exported from the keychain. And, oh look, you can set that via the KeyIsExtractable property in the com.apple.security.pkcs12 payload.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0