Storing a Certificate in the Keychain

Overview

If you receive a certificate, perhaps from a .cer file, as shown in Storing a DER-Encoded X.509 Certificate, you can store it in your keychain for safekeeping. As with other keychain operations, begin by creating a query:

In addition to including the certificate reference itself and the kSecClassCertificate attribute value, you add a label with the kSecAttrLabel attribute, making it easier to search for the certificate later.

You then supply the query to the SecItemAdd(_:_:) function:

As always, test the return status before proceeding. Because you don’t need another reference to the certificate in this case, you omit the kSecReturnRef attribute from the query dictionary and leave the second argument to the function call empty.

Later, when you want to read the certificate back from the keychain, create a new query dictionary:

This query dictionary again uses the kSecClassCertificate value for the kSecClass entry to specify a search for a certificate item (as opposed to a key, identity, or password). Further, the query indicates the label you used when you stored the certificate. Finally, it says that the retrieval should return a certificate reference (rather than the data itself).

Use this query with the SecItemCopyMatching(_:_:) function:

Assuming the call is successful, the function populates the item reference. In Objective-C, when you are done with the certificate, you are responsible for freeing the object’s memory. In Swift, the system manages the object’s memory automatically, releasing it when the certificate goes out of scope.