6 Replies
      Latest reply on May 20, 2018 8:13 PM by bftmb
      bftmb Level 1 Level 1 (0 points)

        Hello,

         

        Currently I need to find a solution to get a Certificate from our Companys Certificate Authority, to use Wi-Fi and VPN.

         

        To get a certificate I need to build a CSR first. For this, I generate a Keypair in the Secure Enclave. After that I build the CSR in Swift and sign them with the private key. Then I can send them to the CA what currently makes some problems. But that is not the main question.

         

        The Problem is, when I get the Certificate back, I need to use it for Wi-Fi and VPN. But when I want to choose the Certificate it did not appear in the dropdown. I think the problem is, that the keychain does not know the private key. Every certificate i can select, has in the keychain a dropdown, where it shows a private key.

         

        Does anyone can explain me how to link my certificate with the private key in the secure enclave?

        I would also be happy for ideas how to send them to the CA.

         

        Best Regards

        Moritz

        • Re: Secure Enclave for MS Active Directory Certificate Enrollment
          eskimo Apple Staff Apple Staff (8,895 points)

          The problem here is keychain access groups.  When you create your key pair it goes into your app’s keychain access group.  However, for a digital identity to be usable by Settings > Wi-Fi the components of that identity, the private key and the certificate, need to be in the system’s keychain access group.  There’s no programmatic way for you to modify the system keychain access group, and thus there’s no way for you to move the private key there.

          One possibility is for you to set up Wi-Fi and VPN programmatically (using NEHotspotConfigurationManager and NEVPNManager, respectively).  Such configurations use credentials from your keychain access group.

          ps I’ve never tried this with a Secure Enclave-based private key, so it’ll be interesting to see if that works.  To start off I recommend that you generate the key pair in the normal keychain and then, if that works, move on to using the Secure Enclave.

          Share and Enjoy

          Quinn “The Eskimo!”
          Apple Developer Relations, Developer Technical Support, Core OS/Hardware
          let myEmail = "eskimo" + "1" + "@apple.com"

            • Re: Secure Enclave for MS Active Directory Certificate Enrollment
              bftmb Level 1 Level 1 (0 points)

              Hi Eskimo,

               

              thanks for your fast reply. Are you sure that I can use NEHotspotConfigurationManager for macOS? I only found documents in the apple developer search for iOS.

               

              Best Regards

              Moritz

                • Re: Secure Enclave for MS Active Directory Certificate Enrollment
                  eskimo Apple Staff Apple Staff (8,895 points)

                  Are you sure that I can use NEHotspotConfigurationManager for macOS?

                  Oh, you’re on the Mac!  I was originally going to bounce this back with a “What platform are you on?” but then decided that, given that you mentioned the Secure Enclave, it’s most likely an iOS thing [1].

                  With regards the two technologies in play here:

                  • VPN setup is supported by NEVPNManager on both platforms

                  • Wi-Fi setup differs by platform:

                    • On iOS you can use NEHotspotConfigurationManager

                    • On macOS you can use the CoreWLAN framework

                  Share and Enjoy

                  Quinn “The Eskimo!”
                  Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                  let myEmail = "eskimo" + "1" + "@apple.com"

                  [1] And yes, I know that Secure Enclave is available on the Mac but the vast majority of Secure Enclave questions I see relate to iOS.

                  1 of 1 people found this helpful