how do I create a Key-pair in the Secure Enclave, which I can access from the System Keychain?
For a internal project, I need a AD Certificate, where the private key should be stored in the SE. For this I write a Swift Application which generates a key pair in the SE and build a CSR from this.
Now I have created a AD Certificate out of the CSR. Because of the Keychain access groups I can't access private key.
Is there another way to create a key pair in the secure enclave where I can access the private key from the keychain? Or does anyone know how to connect with the Certificate to a company Wi-Fi / VPN?
Related
I have a public key of customer that I need to use to encrypt credentials and send to the customer to obtain an auth token that I will be using for all further communication with the customer services.
For testing purpose, I saved the public key into a file and I am able to successfully obtain the auth token.
Now, the question is, where do I need to store this key safely. Options that I can think of are web.config as it is not browsable, or keep it in a file. Both seems to be unsafe.
If I keep it in a file, can I save it into windows trusted store? If yes, how can I save it and since in the trusted store, I will have multiple such keys, how I will retrieve this particular key to encrypt the credentials next time when I need to encrypt.
I am using windows machine for production server and .NET to encrypt, just in case it makes difference.
I think you can encrypt this certificate with another rsa key pair. Save key and encrypted data in different platform. For example save encrypted data in db and save rsa key in file system in protected folder. Protected folder can be user directory which has application user. Encrypt certificate out of the platform with separate tool. Don't save your rsa private key in application system.
For iphone push notifications SSL certificates, you need to provide them with CSR files...
I have saved a CSR file since some time now, and i always give upload the same CSR file, whenever i want to generate the SSL certificates...
Now i've been thinking, since when generating CSR files, i'm actually generating the private key, and probably the public key too...
So i'm wondering what disadvantages i'm facing when i'm using the same CSR file.. though when i download the SSL Certificates, they appear in the keychain as if there's multiple private keys (though they have the same name) and each is attached to a different SSL Certificate.
Is it recommended to generate a new CSR file everytime? and why? and if it's not necessary, then how?
thank you
Certificate Request contains the public key and you have an associated private key. So by re-using it you basically get the same key pair signed again and again.
The disadvantage is obvious - if one key gets leaked, you get all certificates compromised. This is why re-generation of key pairs each time is necessary.
I've got a weird situation here; I developed an app in 2011 using a macbook (private key: alida).. then a couple of months ago was having some problems migrating cert to another machine so just decided to revoke it and generate another certificate now using another set of private keys (francisco)
The situation is that now I have both certificates using two private keys in the keychain (and the old cert expired);
The question: is there a way to pair both priv keys (francisco & alida) with one certificate in the keychain? or I just have to left one of my apps behind? both apps I already in the Appstore;
Look hows my keychain (new machine) looks like:
Any suggestion on what should I do? is there any hope to fix this?
Thanks in advanced.
[edit]
another screenshots from the "my certificates" tab in keychain; so, basically I lost one my apps (no updates ever?) I think If thats the case, I will revoke current cert again and renew it with the keys from 2011 (first app generated) and forget the other one :/
In this context, keys come in pairs: (public, private). A certificate is just a file containing your public key plus some extra data including a "subject" which is information associating the public key to a specific person or entity (such as a DNS address) and, most importantly, a signature from a signing authority certifying (hence "certificate") that the public key is owned by the entity. These key-pairs are inextricably bound: there is no meaningful way to associate the private key from one key-pair to the public key/certificate of a different key-pair.
Normally, a signer (such as Apple in this case) will not generate two certificates with the exact same subject without revoking the earlier certificate first.
If you have an app at the iTunes store signed with a revoked certificate, it needs to be replaced with one signed by the newer, non-revoked certificate.
I think there is no way to pair both priv keys. You should now go with new priv key.
How do you create a SecIdentityRef in an iPhone keychain if
1) you already have the private key in the keychain and
2) you have just received the certificate from a CA?
SecPKCS12Import does not help in this case unless there is an API to create a .p12 from a private key and a certificate.
SecIdentityCreateWithCertificate would be the answer on the Mac but it does not exist on the iPhone.
Is it possible using SecItemAdd ?
http://developer.apple.com/library/ios/#documentation/Security/Reference/keychainservices/Reference/reference.html
many thanks, Andrew
OK, to answer my own question:
On iOS the keychain will automatically bound the certificate to the private key. That means you only need to:
Generate the key pair
Get a certificate that matches the private key
Insert the certificate into the keychain.
After this you should be able to get a SecIdentityRef for the certificate / private key.
IMPORTANT:
SecItemAdd function allows you to insert the certificate data directly (NSData of the DER representation). This way you will be able to get a valid certificate reference, but not an identity ref.
The right way to insert the certificate is to first use the SecCertificateCreateWithData function over the DER bytes of the certificate. This will return a SecCertificateRef object which then should be used to persist the certificate into the keychain using the SecItemAdd function.
I hope this will make someone's life easier ;-)
Regards,
Pece
I just downloaded iphone sdk 4. when I try to install on the device I get
"Code Sign error: The identity 'iPhone
Developer' doesn't match any valid
certificate/private key pair in the
default keychain"
I have gone through the process of creating a provisioning profile and cert through iphone Development Provisioning Assistant. However, after installing the profile and cert the assistant asks to check whether public and private key are paired (surprisingly, it shows a pic of what seems to be a private key and cert being paired, i.e. the cert is 'under' private key in hierarchical terms. This is not the case in my keychain. Public key, private key and cert are there but there doesn't seem to be any associations.
Does anyone know how to pair a private key and certificate in keychain please this please?
ps. I have checked this thread but I'm hoping there's an easier way.
iPhone app signing: A valid signing identity matching this profile could not be found in your keychain
I wrote a wiki page (here) that describes how to export your certificate and private key pair. It's intended for my iOS development clients to send me their ad-hoc, but I believe it will solve your problem, too. The key is to make sure that you export the certificate and private-key PAIR all in one go -- not as two separate exports.
Hopefully, the screenshot near the bottom of that page will help out.