How to get Certificates list from iOS device?

I am creating an iPhone app where we want to use x.509 certificates for client authentication. Jut i want to get list of alll certificates from iPhone/iPad certificates are available under (Settings/General/Device Management/Digital Workspace/certificate)

1. Is it possible? does apple allow to get certificate list ? if yes, how can i get this?

Thanks,

Sanjay

Replies

Not possible. do not waste your time. All apps are sandboxed and only have access to their

data and any system data shared via Apple's APIs.

Thanks for your response on this..


One more question.. Is there any way to check certificate is installed on deveice? certificate name will be constant.


Thanks,

Sanjay

First, some clarifications:

  • Given that you’re talking about “client authentication” earlier, I presume you’re talking about digital identities rather than certificates.

    Note A digital identity is the combination of a private key and a certificate that contains the public key that matches that private key, and is what you need to present on the client side if you want the server to authenticate the client.

  • It seems that you care about digital identities installed via MDM. Credentials installed that way are placed in an Apple keychain access group and, as such, are only accessible to Apple apps. QA1745 Making Certificates and Keys Available To Your App discusses this in more detail.

Is there any way to check [whether a digital identity] is installed on [the device]?

Not in general.

If you post some more information about your overall goal, I may be able to offer more suggestions.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Hi Eskimo,


I want to achieve the similar.

How do I display a list of pfx digital identidy from iOS --> Settings.


If i were to open the app using Mobile safari browser it will prompt me to choose the client certificate, i want to achieve the similar using WKWebview.

Is this even possible.


In addition i have tried to use SafariViewController, this has an unexpected behavior.

If i installed the .pfx digital identidy and restart my phone the the single sing on will work, but if i don't restart the phone, the single sign on will not work.

Similar when i try to uninstall the .pfx digital identity, and launch the SafariViewController, the single sign on still works until i have restarted my phone.


Your response is much appreciated.


I have found further details to describe the same problem

http://stackoverflow.com/questions/34079135/how-to-clear-sfsafariviewcontroller-credentials


Regards,

Ramon

How do I display a list of pfx digital identidy from iOS --> Settings.

From inside your app? In general you can’t. QA1745 Making Certificates and Keys Available To Your App explains the background to this.

If i were to open the app using Mobile safari browser it will prompt me to choose the client certificate, i want to achieve the similar using WKWebView.

WKWebView will pass you authentication challenges via the

-webView:didReceiveAuthenticationChallenge:completionHandler:
navigation delegate callback and, in general, you can handle authentication by responding to those challenges. However, this does not work in the case of client identity authentication challenges (
NSURLAuthenticationMethodClientCertificate
). You get the authentication challenge but, when you respond, the response is ineffective. We’re tracking this issue as a bug (r. 22659960).

The only workaround is to use UIWebView with a custom NSURLProtocol subclass, as illustrated by the CustomHTTPProtocol sample code. There are, however, multiple drawbacks:

  • It’s a bit of a hack.

  • It’s a bunch of complex code.

  • WKWebView is the modern replacement for UIWebView, so using UIWebView seems like a backward step.

In addition, you still have the problem I discussed above, namely, getting the required identities into your app’s ‘slice’ of the keychain.

In addition i have tried to use SafariViewController, this has an unexpected behavior.

In contrast to WKWebView, SafariViewController is meant to act Just Like Safari™. As such, it does have access to the Apple ‘slice’ of the keychain. And it sounds like that works, modulo a restart or two (-;

With regards the requirement to restart, IMO that’s a bug and you should file it as such. Please post your bug number, just for the record.

All other things being equal, I think you’d be better off doing this via SafariViewController, and living with the restart issue, than trying to use the UIWebView hackaround.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

However, this does not work in the case of client identity authentication challenges (NSURLAuthenticationMethodClientCertificate).

There’s finally been some good news on this front. See this thread for details.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

..