802.1X authentication using certificates in the data protection keychain

Question

MngqaApp117 OP

Created Mar ’25

Replies 3

Boosts 0

Participants 2

Can you please give me a hand with importing certificates under MacOS?

I want to connect to Wi-Fi with 802.1X authentication (EAP-TLS) using a certificate that my homebrew application imported into my data protection keychain, but the imported certificate does not show up and I cannot select the certificate. It also does not show up in the Keychain Access app.

One method I have tried is to import it into the data protection keychain by using the SecItemAdd function and setting kSecUseDataProtectionKeychain to true, but it does not work.

Is there a better way to do this?

ID:

 for id in identities {
    let identityParams: [String: Any] = [
        kSecValueRef as String: id,
        kSecReturnPersistentRef as String: true,
        kSecUseDataProtectionKeychain as String: true
    ]
    let addIdentityStatus = SecItemAdd(identityParams as CFDictionary, nil)
    if addIdentityStatus == errSecSuccess {
        print("Successfully added the ID.: \(addIdentityStatus)")
    } else {
        print("Failed to add the ID.: \(addIdentityStatus)")
    }
}

Certificate:

 for cert in certificates {
    let certParams: [String: Any] = [
        kSecValueRef as String: cert,
        kSecReturnPersistentRef as String: true,
        kSecUseDataProtectionKeychain as String: true
    ]
    let addCertStatus = SecItemAdd(certParams as CFDictionary, nil)
    if addCertStatus == errSecSuccess {
        print("Successfully added the certificate.: (\(addCertStatus))")
    } else {
        print("Failed to add the certificate.: (\(addCertStatus))")
    }
}

Private key:

 for privateKey in keys {
    let keyTag = UUID().uuidString.data(using: .utf8)!
    let keyParams: [String: Any] = [
        kSecAttrApplicationTag as String: keyTag,
        kSecValueRef as String: privateKey,
        kSecReturnPersistentRef as String: true,
        kSecUseDataProtectionKeychain as String: true
    ]
    let addKeyStatus = SecItemAdd(keyParams as CFDictionary, nil)
    if addKeyStatus == errSecSuccess {
        print("Successfully added the private key.: \(addKeyStatus)")
    } else {
        print("Failed to add the private key.: \(addKeyStatus)")
    }
}

Answered by DTS Engineer in 827964022

Keychain Access only shows password items in the data protection keychain, something we call out in TN3137 On Mac keychain APIs and implementations:

Keychain Access displays all keychain items in file-based keychains but only password items in the data protection keychain.

)-:

Are you sure that our 802.1X support is expecting the digital identity in the data protection keychain? If it is, that’s problematic because it’ll be using a keychain access group that you can’t access. However, my experience with subsystems like this is that they typically use a file-base keychain.

One way to test this is to create an 802.1X configuration profile, install that, and see where the digital identity lands. That has the added advantage that it confirms that the macOS 802.1X client is compatible with your infrastructure, and it’s good to do that before you start writing code.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Boost

Answer 1

DTS Engineer OP

Apple

Mar ’25

Recommended

Keychain Access only shows password items in the data protection keychain, something we call out in TN3137 On Mac keychain APIs and implementations:

Keychain Access displays all keychain items in file-based keychains but only password items in the data protection keychain.

)-:

Are you sure that our 802.1X support is expecting the digital identity in the data protection keychain? If it is, that’s problematic because it’ll be using a keychain access group that you can’t access. However, my experience with subsystems like this is that they typically use a file-base keychain.

One way to test this is to create an 802.1X configuration profile, install that, and see where the digital identity lands. That has the added advantage that it confirms that the macOS 802.1X client is compatible with your infrastructure, and it’s good to do that before you start writing code.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 2

MngqaApp117 OP

Mar ’25

Written by DTS Engineer in 827964022

However, my experience with subsystems like this is that they typically use a file-base keychain

It states that ｔhe file-based keychains are on the road to deprecation and that some of the APIs have been deprecated.

TN3137: On Mac keychain APIs and implementations

The file-based keychain is on the road to deprecation. It’s not officially deprecated, but some of the APIs surrounding it are. For example, SecKeychainCreate was deprecated in the macOS 12 SDK. Moreover, new features, like iCloud Keychain, require the data protection keychain.

If the client certificate for the data protection keychain is not selectable in the Wi-Fi configuration, won't that be a problem when the file-based keychain is discontinued?

0

Answer 3

DTS Engineer OP

Apple

Mar ’25

When I wrote TN3137 I had to strike a careful balance between the current reality and The Future™. Part of that is this quote:

In other situations your only option is the file-based keychain [my emphasis]

What I’m trying to ascertain here is whether 802.1X is one of those situations.

It’s certainly possible to create or import a digital identity in the data protection keychain. The question you have to ask your self is who is using that digital identity? If that were your own code then the data protection keychain would be a fine choice. However, my understanding of your goal is that you want the system to use this digital identity and, if that’s the case, you have to put it where the system is expecting.

And hence my suggestion of testing this with a configuration profile. If an 802.1X configuration profile payload puts the digital identity into the file-based keychain, you are gonna have to do the same.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

	for id in identities {
	let identityParams: [String: Any] = [
	kSecValueRef as String: id,
	kSecReturnPersistentRef as String: true,
	kSecUseDataProtectionKeychain as String: true
	]
	let addIdentityStatus = SecItemAdd(identityParams as CFDictionary, nil)
	if addIdentityStatus == errSecSuccess {
	print("Successfully added the ID.: \(addIdentityStatus)")
	} else {
	print("Failed to add the ID.: \(addIdentityStatus)")
	}
	}

	for cert in certificates {
	let certParams: [String: Any] = [
	kSecValueRef as String: cert,
	kSecReturnPersistentRef as String: true,
	kSecUseDataProtectionKeychain as String: true
	]
	let addCertStatus = SecItemAdd(certParams as CFDictionary, nil)
	if addCertStatus == errSecSuccess {
	print("Successfully added the certificate.: (\(addCertStatus))")
	} else {
	print("Failed to add the certificate.: (\(addCertStatus))")
	}
	}

	for privateKey in keys {
	let keyTag = UUID().uuidString.data(using: .utf8)!
	let keyParams: [String: Any] = [
	kSecAttrApplicationTag as String: keyTag,
	kSecValueRef as String: privateKey,
	kSecReturnPersistentRef as String: true,
	kSecUseDataProtectionKeychain as String: true
	]
	let addKeyStatus = SecItemAdd(keyParams as CFDictionary, nil)
	if addKeyStatus == errSecSuccess {
	print("Successfully added the private key.: \(addKeyStatus)")
	} else {
	print("Failed to add the private key.: \(addKeyStatus)")
	}
	}