Yubico Authenticator with Smart Cards on iOS

The Smart Card on iOS feature within Yubico Authenticator facilitates smart card Transport Layer Security (TLS) authentication to websites from within the Safari browser. This feature is currently supported for iPhones/iPads with iOS/iPadOS 14.2 or later.

Smart Card on iOS allows you to easily provision the public portion of any smart card certificate stored on your YubiKey to the iOS Keychain on your iOS device. The private key of your smart card certificate remains on your YubiKey, from which it cannot be extracted.

During TLS authentication to a website, the public certificate is accessible to Safari via iOS Keychain, and Yubico Authenticator facilitates signing with the private key stored on your YubiKey. In order to complete authentication with Yubico Authenticator, you must plug your YubiKey into your iPhone/iPad (or scan if using an NFC-enabled YubiKey) and enter your smart card certificate PIN when prompted.

_images/enter-pin.png

The Smart Card on iOS feature can also be used for signing emails and decrypting messages/documents. Please note that this guide focuses only on certificate-based authentication. Likewise, the feature also supports certificate-based authentication with third-party iOS applications, but the walkthrough included herein only covers the Safari browser usage.

X.509 Certificates

Both the iOS Keychain and the YubiKey can hold X.509 smart card certificates. Certificates are stored in the PIV application on the YubiKey, which contains 24 “slots” (for YubiKey 5 Series keys), four of which are easily accessible via the YubiKey Manager tool.

To enable the Smart Card on iOS functionality, both the public certificate and the private key need to be imported onto the YubiKey.

The YubiKey Manager tool supports importing of X.509 certificates and keys in the PEM, DER, and PKCS12 formats. For Smart Card on iOS, we recommend using certificates in the PKCS12 format (which have the .p12 and .pfx file extensions) as both the public certificate and private key are stored in the same file.

Prerequisites

To use the Smart Card on iOS feature, you must have the following:

  • Apple iPhone/iPad with iOS/iPadOS 14.2 or later.
  • YubiKey 5 series key (5 NFC, 5C NFC, or 5Ci).
  • Yubico Authenticator iOS application (v.1.6 or newer).
  • Host computer.
  • YubiKey Manager tool (available for Windows, Linux, and macOS).
  • X.509 smart card certificate from a website you’d like to authenticate to. We recommend using the .p12 or .pfx file types if available. Download this file directly to your computer.

Note

If your YubiKey already has a smart card certificate stored in its PIV application, you only need an iPhone, your YubiKey, and Yubico Authenticator.

Overview: Setup Process

After satisfying the prerequisites listed above, do the following to set up and use the Smart Card on iOS feature (we use the BadSSL site for the example screenshots):

  1. Import your smart card certificate onto your YubiKey using YubiKey Manager. If your YubiKey already has a certificate stored in its PIV application, skip to the next step.

    _images/gui-imported.png
  2. Provision the public certificate to your iOS Keychain through the Yubico Authenticator application on your iOS device.

    _images/add-certificate.png
  3. Authenticate to the website that requires your smart card certificate on the Safari browser.

    _images/authenticator-alert.png

Troubleshooting

If you run into issues using the Smart Card on iOS feature, check out the Yubico Authenticator Smart Card Troubleshooting chapter for possible solutions.


To file a support ticket with Yubico, click Support.