Dev blog post potpourri by senior software engineer Marco Eidinger

Client Certificate Handling on iOS

UpdatedJanuary 22, 2024

•2 min read

I am a Software Engineer working on open source and enterprise mobile SDKs for iOS and MacOS developers written in Swift. From 🇩🇪 and happily living in 🇺🇸

Client Certificate Authentication, a.k.a. mutual certificate-based authentication, means that the client provides its Client Certificate to the server to prove its identity. This happens as a part of the SSL Handshake (optional).

How Mutal Authentication Works

Users can install digital identities (certificates plus their associated private keys) onto their iOS devices by downloading them from within Safari, by opening them as email attachments, and by installing them with configuration profiles (MDM!).

Once done the SafariViewController or the Safari app can open the page successfully because the certificate is in the Apple keychain access group.

BUT your apps using URLSession or WKWebView will receive an HTTP 400 response because of a missing client certificate ?!?!

That's because ...

Apps can only access keychain items in their own keychain access groups. This means that items in the Apple access group are only available to Apple-provided apps such as Safari or Mail.

The solution is

... you will need to write code to import them. This typically means reading in a PKCS#12-formatted blob and then importing the contents of the blob into the app's keychain using the function SecPKCS12Import documented in Certificate, Key, and Trust Services Reference.

This way, your new keychain items are created with your app's keychain access group.

This statement comes from Apple.

Additional work is needed.

URLSession: URLSessionDelegate is required which implements URLSession:didReceiveChallenge:completionHandler: and returns URLCredential instance to resolve a client certificate authentication challenge.
WKWebView: WKNavigationDelegate is required which implements webView(_:didReceive:completionHandler:) and returns URLCredential instance to resolve a client certificate authentication challenge.

I created an iOS application to demonstrate all this better. Use this app to access https://client.badssl.com/ in various ways

URLSession.dataTask
WKWebView
SFSafariViewController
Open link in Safari

The website requires a valid user certificate. Otherwise the server returns HTTP 400.

I added badssl.com-client.p12 (downloaded from badssl.com/download) as a bundle resource for convenience. This allows you to test the successful authentication with a user certificate using URLSession and WKWebView.

Note: If the certificate no longer works (expires Dec 4, 2023), try to download the latest version from badssl.com/download.

https://youtu.be/qSzk-gMsFZ4

The source code of the app is publicly available on GitHub.

https://github.com/MarcoEidinger/ClientCertificateSwiftDemo

#ios #swift #authentication

Comments (1)

Join the discussion

João Miguel Silva Ferreira2y ago

Finally someone on whole Internet with a clue about my issue. We have a reverse proxy with internal sites that ask for client device authentication that we deploy with Intune. The certificates are working and installed correctly, but they only work with Safari. Because of internal rules, we need to use Edge on iOS for access this sites, but the problem arise. All the browsers except Safari don't send the client certificate, probably as you refer in your article, they don't have access to the keychain where they are installed.

The web server returns always the error: [ssl:error] [pid 399092:tid 139834186258176] SSL Library Error: error:1417C0C7:SSL routines:tls_process_client_certificate:peer did not return a certificate -- No CAs known to server for verification?

More from this blog

All new frameworks presented at WWDC25

WWDC25 kicked off on June 9, 2025. The information in this article reflects the information published by Apple on that date. New Frameworks NameDescription AlarmKitSchedule prominent alarms and countdowns to help people manage their time. AVR...

Jun 9, 20252 min read

My WWDC25 Week: Events, Meetups, and Where to Find Me

WWDC25 is almost here, and I couldn’t be more excited! Whether you're attending the official events, community meetups, or just soaking in the energy around Cupertino, there’s no better time to connect, share ideas, and celebrate everything we love a...

Jun 2, 20252 min read

My WWDC25 Week: Events, Meetups, and Where to Find Me

You better increase URLCache size

In this blog post, I’ll share an observation and advice regarding the caching behavior of network responses by Apple’s APIs. If you are unfamiliar with caching of network responses then I recommend Apple’s article Accessing cached data that introduce...

Sep 30, 20243 min read

All new frameworks presented at WWDC24

WWDC24 kicked off on June 10, 2024. The information in this article reflects the information published by Apple on that date. New Frameworks NameDescription AccessorySetupKitUse AccessorySetupKit to discover accessories with Bluetooth or Wi-Fi...

Jun 10, 20242 min read

SwiftUI Bottom Sheet: How to Hide Unwanted UI Components

This blog post will explain alternatives for programmatically determining a presented sheet's detent in SwiftUI. To present a bottom sheet on iOS is very easy with SwiftUI thanks to the sheet and presentationDetents modifiers. To turn a normal sheet...

Jun 8, 20244 min read

SwiftUI Bottom Sheet: How to Hide Unwanted UI Components

Dev blog post potpourri by senior software engineer Marco Eidinger

149 posts

Hello 👋🏻 , I am a Software Engineer working on open source and enterprise mobile SDKs for iOS and MacOS developers written in Swift. From 🇩🇪 and happily living in 🇺🇸

Command Palette

Comments (1)

More from this blog