---

Certificate, Key, and Trust Services

Certificate, Key, and Trust Services is a C API for managing certificates, public and private keys, and trust policies. You can use these services in your application to:

• Add a certificate to a keychain

• Retrieve information from a certificate

• Retrieve a private key that’s related to a specific certificate

• Create a pair of asymmetric keys and store them in the keychain

• Retrieve the value of a trust policy

• Set anchor certificates

• Retrieve anchor certificates

• Evaluate the trust associated with a specific certificate and trust policies

• Set user-specified settings for trust policies for a given certificate (see Figure 3-3 for examples of trust settings)

Certificate, Key, and Trust Services provides a high-level API to the Apple CDSA plug-ins that manipulate certificates and keys (see “Apple CDSA Plug-ins” for information about what each plug-in does). Therefore, it operates on certificates that conform to the X.509 ITU standard, uses the Mac OS X keychain for storage and retrieval of certificates and keys, and uses the trust policies provided by Apple. See the Security Release Notes for details about Apple’s certificate trust policies.

Because certificates are used by SSL and TLS for authentication, the Secure Transport API includes a variety of functions to manage the use of certificates and root certificates in a secure connection. See “Secure Transport” for more information about Secure Transport.

To display the contents of a certificate in a user interface, you can use the SFCertificatePanel and SFCertificateView classes in the Security Objective-C API. In addition, the SFCertificateTrustPanel class displays trust decisions and lets the user edit trust decisions. See “Security Objective-C API” for more information about this API.

---