Managing Keys, Certificates, and Passwords

The keychain provides storage for passwords, encryption keys, certificates, and other small pieces of data. Some of these items are inherently secret, like private keys and passwords, while others are not, such as certificates. After storing data in the keychain, you can be confident that untrusted apps cannot access that data. Further, device backups contain only encrypted versions of the secret data.

Use the following APIs to work with keychain items:

• Keychain Services. Use Keychain Services to explicitly add, delete, and edit keychain items, and—in macOS only—manage collections of keychains. See Keychain Services Reference for details.

• Certificate, Key, and Trust Services. Manage certificates, public and private keys, symmetric keys, and trust policies. In particular, you can:

  • Create certificates and asymmetric keys.

  • Add certificates and keys to keychains.

  • Retrieve information about a certificate, such as the private key associated with it, the owner, and so on.

  • Convert certificates to and from portable representations.

  • Create and manipulate trust policies and evaluate a specific certificate using a specified set of trust policies.

  • Add anchor certificates.

  • Generate or verify a digital signature for a block of data.

  • Encrypt or decrypt a block of data.

  Certificate, Key, and Trust Services operates on certificates that conform to the X.509 ITU standard, uses the keychain for storage and retrieval of certificates and keys, and uses the trust policies provided by Apple. See Certificate, Key, and Trust Services Reference for more information.

• Security Interface. To display the contents of a certificate in an macOS user interface, you can use the SFCertificatePanel and SFCertificateView classes. In addition, the SFCertificateTrustPanel class displays trust decisions and lets the user edit trust decisions.