Secure Enclave for MS Active Directory Certificate Enrollment

Hello,


Currently I need to find a solution to get a Certificate from our Companys Certificate Authority, to use Wi-Fi and VPN.


To get a certificate I need to build a CSR first. For this, I generate a Keypair in the Secure Enclave. After that I build the CSR in Swift and sign them with the private key. Then I can send them to the CA what currently makes some problems. But that is not the main question.


The Problem is, when I get the Certificate back, I need to use it for Wi-Fi and VPN. But when I want to choose the Certificate it did not appear in the dropdown. I think the problem is, that the keychain does not know the private key. Every certificate i can select, has in the keychain a dropdown, where it shows a private key.


Does anyone can explain me how to link my certificate with the private key in the secure enclave?

I would also be happy for ideas how to send them to the CA.


Best Regards

Moritz

Replies

Hi Eskimo,


I just created the key pair in the standard keychain. after that the key pair was directly visible in the keychain and after I let my csr signed, the certificate matched with the private key.


Then I tried this another time in the secure enclave, and it did not appear in the keychain, and it did not match with the certificate.

So how do I get my keypair accessible from the keychain?


thank you! 🙂

Then I tried this another time in the secure enclave, and it did not appear in the keychain, and it did not match with the certificate.

How are you testing this? With the Keychain Access app? Or via some API?

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"


WWDC runs Mon, 4 Jun through to Fri, 8 Jun. During that time all of DTS will be at the conference, helping folks out face-to-face.

Hi Eskimo,


that I review with the Keychain Application. And there should it be visible, otherwise we cant use 'Cisco AnyConnect' Client.


thanks 😀

that I review with the Keychain Application

I presume you mean Keychain Access.

otherwise we cant use 'Cisco AnyConnect' Client.

Ah, I didn’t realise you were using a third-party VPN client. In that case I don’t think you’re going to be able to achieve your goal. macOS has two keychain models, the traditional file-based keychain and an iOS-style keychain used for, amongst other things, iCloud Keychain. The Secure Enclave is only accessible via the iOS-style keychain, and that keychain has a security model, keychain access groups, that prevents app A from creating credentials that can be used by app B.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"


WWDC runs Mon, 4 Jun through to Fri, 8 Jun. During that time all of DTS will be at the conference, helping folks out face-to-face.

Hi Eskimo,


why shouldn't that be possible to create a key pair which is accessible from the system keychain? 😟 So that multiple apps, and the user manually, can get access to them? There must be a possibility to get this working.


thanks 🙂

Hi eskimo


Checking to see if there has been any changes around this capability. We have a similar use case where we generate a private key in the secure enclave and generate a client certificate(using a CSR signed by the private key and have our CA issue a cert) for the device. We would like this client cert and private key be accessible from other application like the Safari borwser or other apps when our server requests for the client certificate.


I tested all of this and currently able to import only the client certificate "SecCertificate" outside to a keychain(using SecItemAdd and specifying a "kSecUseKeychain" attribute). But when I try "SecItemAdd" with a "SecIdentity" representing my client certificate and a reference to the "SecKey" in the secure enclave, it fails with a -50 error.


In our current product, we have it implemented using the file based keychain on macOS. But users are able to copy over the entire keychain file to another device. We would really like the private key to be tied to the device(but be accessible by other third party applications also).


Really appreciate if you shed some light on this. The documentation around this is sparce 😟. If there is no update, just a confirmation of my understanding will also help.


Thanks in advance