Secure Enclave for MS Active Directory Certificate Enrollment

Hello,


Currently I need to find a solution to get a Certificate from our Companys Certificate Authority, to use Wi-Fi and VPN.


To get a certificate I need to build a CSR first. For this, I generate a Keypair in the Secure Enclave. After that I build the CSR in Swift and sign them with the private key. Then I can send them to the CA what currently makes some problems. But that is not the main question.


The Problem is, when I get the Certificate back, I need to use it for Wi-Fi and VPN. But when I want to choose the Certificate it did not appear in the dropdown. I think the problem is, that the keychain does not know the private key. Every certificate i can select, has in the keychain a dropdown, where it shows a private key.


Does anyone can explain me how to link my certificate with the private key in the secure enclave?

I would also be happy for ideas how to send them to the CA.


Best Regards

Moritz

Replies

The problem here is keychain access groups. When you create your key pair it goes into your app’s keychain access group. However, for a digital identity to be usable by Settings > Wi-Fi the components of that identity, the private key and the certificate, need to be in the system’s keychain access group. There’s no programmatic way for you to modify the system keychain access group, and thus there’s no way for you to move the private key there.

One possibility is for you to set up Wi-Fi and VPN programmatically (using

NEHotspotConfigurationManager
and
NEVPNManager
, respectively). Such configurations use credentials from your keychain access group.

ps I’ve never tried this with a Secure Enclave-based private key, so it’ll be interesting to see if that works. To start off I recommend that you generate the key pair in the normal keychain and then, if that works, move on to using the Secure Enclave.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Hi Eskimo,


thanks for your fast reply. Are you sure that I can use NEHotspotConfigurationManager for macOS? I only found documents in the apple developer search for iOS.


Best Regards

Moritz

Are you sure that I can use NEHotspotConfigurationManager for macOS?

Oh, you’re on the Mac! I was originally going to bounce this back with a “What platform are you on?” but then decided that, given that you mentioned the Secure Enclave, it’s most likely an iOS thing [1].

With regards the two technologies in play here:

  • VPN setup is supported by

    NEVPNManager
    on both platforms
  • Wi-Fi setup differs by platform:

    • On iOS you can use

      NEHotspotConfigurationManager
    • On macOS you can use the CoreWLAN framework

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

[1] And yes, I know that Secure Enclave is available on the Mac but the vast majority of Secure Enclave questions I see relate to iOS.

Hi Eskimo,


perfect I hope that this works 🙂

Do you know how to use CoreWLAN with EAP-TLS Certificates?


Best Regards

Moritz

Do you know how to use CoreWLAN with EAP-TLS Certificates?

I don’t have any direct experience with that. I will note that CoreWLAN has specific API for keychain management that’s supposed to help with this sort of things. Check out

<CoreWLAN/CoreWLANUtil.h>
.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Is there no way to create a keypair in the secure enclave, which I can access from the keychain? Maybe use "com.apple.keychain" for kSecAttrApplicationTag or whatever?

Is there no way to create a keypair in the secure enclave, which I can access from the keychain?

I’m not sure what you’re asking here. When you create a key pair in the Secure Enclave is is accessible via keychain APIs.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

I need to access the private key from the keychain. But you told me, that this is not possible because of the keychain access group. You said When I create a key pair it goes into my app’s keychain access group. Now I'm wondering if I can modify the access group, so that I can access it from the system keychain. There should be a possibility, otherwise the secure enclave is useless...

I think you need to have a look at the specific APIs I’m recommending here. In both cases the system mediates the application of your credentials to the configuration, and thus the specific keychain access group may not matter.

Having said that, I’m kinda doubtful that a Secure Enclave key will work for either case, which is why I recommend that you start with a normal key and only move on to using a Secure Enclave key if you can get that working.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Hi Eskimo,


I think we talk about two different topics. I don't can use your CoreWLAN and NEVPNManager framework. It didn't work for our Company. I really need to access the Private Key from the Secure Enclave in the System Keychain. I don't think that Apple has no function build in to grant access for other Keychain Access Groups (e.g. the System Keychain).


Is there any posibility to grant my keychain access to the private key in the secure enclave?

I think we talk about two different topics.

I definitely agree that there’s a bunch of confusion here.

I don't can use your CoreWLAN and NEVPNManager framework.

What does “don’t can use” mean? You don’t use them? Or you can’t use them?

The reason I’m suggesting that you use these APIs is that they are the only way to set credentials on a network configuration. And, just to be clear about our expectations here, I’m not confident that you’ll be able to make this work with a Secure Enclave key at all, but these APIs are the only approach that offers any hope.

Is there any posibility to grant my keychain access to the private key in the secure enclave?

I don’t understand this question. If you create the key in the Secure Enclave then it’s accessible to you via keychain APIs, that is, your keychain already has access to it.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"


WWDC runs Mon, 4 Jun through to Fri, 8 Jun. During that time all of DTS will be at the conference, helping folks out face-to-face.

Hi,

If you create the key in the Secure Enclave then it’s accessible to you via keychain APIs, that is, your keychain already has access to it.


No, when I create a Keypair in the Secure Enclave, I only have access to them via my own application. I build a CSR in my application and send them to the CA. When I import the returning Certificate in my Keychain, I dont have access to my private key. But I need them for our Applications.


Lets clarify that first

Thank you 🙂

When I import the returning Certificate in my Keychain …

What API are you using to import the certificate?

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"


WWDC runs Mon, 4 Jun through to Fri, 8 Jun. During that time all of DTS will be at the conference, helping folks out face-to-face.

Hi Eskimo,


I use the Security framework with the SecItemAdd function to add the certificate to my keychain. But I can't find the private key in my keycain and I also can't find a way how to link the private key to the certificate.


thank you 🙂

If you generate the key pair in the standard keychain, not the Secure Enclave, does it match up with the added certificate to form an identity?

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"


WWDC runs Mon, 4 Jun through to Fri, 8 Jun. During that time all of DTS will be at the conference, helping folks out face-to-face.