3 Replies
      Latest reply on Oct 4, 2016 2:53 AM by eskimo
      shivendra6782 Level 1 Level 1 (0 points)



        How can i fetch the certificate from keychain and add into HTTP header. I want to share the certificate with server to validate if request send by valid comapny issued device or not. Please suggest.

        • Re: Add certificate to HTTP POST request
          Beast Level 3 Level 3 (125 points)

          You don't want to use the presence of a certificate for authentication, certificates are public.


          You would either want to use the certificate to perform TLS client authentication or use the certificate to sign something that only the holder of the certificate's private key could sign.

            • Re: Add certificate to HTTP POST request
              shivendra6782 Level 1 Level 1 (0 points)

              Thanks for your response.

              I am using SSL pinning in my app to confirm the server identity, but server is also asking client certificate to validate Client. I have company issued certificate in my keychain(e.g. @abc.com), how can read the certificate infomation to handle the cettificate challenge:



                  func URLSession(session: NSURLSession,task: NSURLSessionTask,

                  didReceiveChallenge challenge: NSURLAuthenticationChallenge,completionHandler: (NSURLSessionAuthChallengeDisposition, NSURLCredential?) -> Void) {

                                       if challenge.protectionSpace.authenticationMethod == (NSURLAuthenticationMethodServerTrust)


                                                 // Send the trust.


                                       else if challenge.protectionSpace.authenticationMethod == NSURLAuthenticationMethodClientCertificate


                                                 //How to handle this if i want to use certificate from keychain.






              Please suggest.

                • Re: Add certificate to HTTP POST request
                  eskimo Apple Staff Apple Staff (13,945 points)

                  To understand where Beast is coming from here you have to understand that client certificate authentication, as the term is usually used, is somewhat misleading.  It kinda makes sense from the server’s perspective — the server is checking the certificate of the client — but it misses out one key thing.  TLS has crypto goo that guarantees that the client can only present that certificate to the server because the client holds the private key associated with the public key in that certificate.  That is, the client must hold both the certificate and its matching private key, otherwise known as a digital identity.  So, from the perspective of the client, this would be better known as client identity authentication.

                  With that out of the way, here’s how you respond to a client identity authentication challenge, aka NSURLAuthenticationMethodClientCertificate:

                  let identity: SecIdentity = … find the right identity …
                  let credential = URLCredential(identity: identity, certificates: nil, persistence: .forSession)
                  completionHandler(.useCredential, credential)

                  The code to get the right identity is very app specific.  You said that you have the client certificate in your keychain.  Hopefully that includes the matching private key, in which case you can get the client identity using keychain APIs (specifically, SecItemCopyMatching).

                  Share and Enjoy

                  Quinn “The Eskimo!”
                  Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                  let myEmail = "eskimo" + "1" + "@apple.com"