Based on [QA1745] It says we must import the certificate from system keychain into the app keychain using
SecPKCS12Import
.
You seem to have misinterpreted QA1745. What it says is that:
Digital identities installed via user-level mechanisms (Safari, MDM, and so on) go into an Apple keychain access group.
Third-party apps can’t access digital identities in the Apple keychain access group.
If your app needs access to such a digital identity, you will have to find your own way to provide it to your app.
SecPKCS12Import
is part of that mechanism, but it does not let you import an identity from the Apple keychain access group (per the previous point).
The best way to resolve this issue in an enterprise environment is to support Kerberos Single Sign-On (SSO). That can be configured for your app via MDM and the security happens automatically, without you having to write any code.
If necessary you can combine Kerberos SSO with your existing infrastructure but putting the digital identity PKCS#12 behind Kerberos SSO authentication. Your app can then get the PKCS#12, authenticated via Kerberos SSO, import it, and then use it for other connections.
There’s a long-standing enhancement request (r. 8777306) on file for a better solution to this problem but, alas, there’s been no action on that front. It wouldn’t hurt for you to file your own enhancement request for this.
Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware
let myEmail = "eskimo" + "1" + "@apple.com"