1 Reply
      Latest reply on Sep 9, 2019 2:11 AM by eskimo
      go7202 Level 1 Level 1 (0 points)



        I want to get a certificates installed in profiles ios, currently we are fetching the available certificates from Mac Keychain like below, is there something like this iOS?


        Thank you!


        OSStatus status;
            SecKeychainSearchRef search = NULL;
        status = SecKeychainSearchCreateFromAttributes(NULL,
                                                           kSecCertificateItemClass, NULL, &search);
            if (status != errSecSuccess) {
                [self logMessageForStatus:status
                return nil;
            SecKeychainItemRef searchItem = NULL;
            while (SecKeychainSearchCopyNext(search, &searchItem) != errSecItemNotFound) {
                SecKeychainAttributeList attrList;
                CSSM_DATA certData;
                attrList.count = 0;
                attrList.attr = NULL;
                status = SecKeychainItemCopyContent(searchItem, NULL, &attrList,
                                                    (UInt32 *)(&certData.Length),
                                                    (void **)(&certData.Data));
        • Re: How to fetch the installed Certificates in iOS
          eskimo Apple Staff Apple Staff (12,735 points)

          is there something like this iOS?

          Probably not, but it kinda depends on what you mean by “certificate”.  A configuration profile has four certificate types:

          • com.apple.security.root (A)

          • com.apple.security.pkcs1 (B)

          • com.apple.security.pem (C)

          • com.apple.security.pkcs12 (D)

          On iOS, type A — and types B and C, if they are root certificates — go into the trust store, not the keychain.  There is no API to get at the trust store, but you can see its effect indirectly (via trust evaluation).

          Type D — and types B and C, if they are not root certificates — go into the keychain.  Types B and C result in a kSecClassCertificate entry, and type D results in both kSecClassCertificate and kSecClassKey entries, typically accessed via kSecClassIdentity (remember that a digital identity is the combination of a certificate and the private key that matches the public key in that certificate).  Such credentials are not directly accessible to third-party apps, as discussed in QA1745 Making Certificates and Keys Available To Your App explains the background to this.

          Share and Enjoy

          Quinn “The Eskimo!”
          Apple Developer Relations, Developer Technical Support, Core OS/Hardware
          let myEmail = "eskimo" + "1" + "@apple.com"