TLS client certificate

I have a customer who wants to protect the REST API of their app with a private certificate. They would then distribute the client certificate to the authorized users. Their app would not work unless the client certificate is already installed on the user's phone before they run the app.

I have never done this before. Is it possible to install a client certificate on an iPhone without running an app, for example if it were sent in an email message?

And if it is possible, is App Review going to let such an app into the app store?

Thanks, Frank

This is tricky. Let me start with two general points:

  • We’re talking about an mTLS client digital identity here. A certificate is a public data structure. See TLS for App Developers for more background about this terminology.

  • You wrote:

    is App Review going to let such an app into the app store?

    I don’t work for App Review and can’t answer questions about their policy.

Coming back to the main point:

Is it possible to install a client certificate on an iPhone without running an app, for example if it were sent in an email message?

Yes and no.

There are system-wide mechanism for the user to install credentials on the device. However, these credentials go into an Apple-only keychain access group. See QA1745 Making Certificates and Keys Available To Your App. So, if you send the user an email with a .p12 attachment, that’s not going to help your app.

However, you can do this with other attachments. If you put a PKCS#12 data structure into a file with a different extension and attach that to your email, it’s possible to open that in your app.

This process is kinda clunky. There are other options here:

  • Your client could maintain their own account system. When the user logs into their an account, they could have the login process send a digital identity to the app. The app could add that to their keychain.

  • Or, if they don’t want to maintain their own accounts, use Sign in with Apple.

  • They could explore the world of Custom Apps.

Oh, and all of the above assumes that your client is targeting normal App Store users. If their selling to managed customers, there are other options.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

TLS client certificate
 
 
Q