Smart Card on iOS Overview

The Smart Card on iOS feature enables users to perform Transport Layer Security (TLS) authentication to websites from within the Safari browser as well as digitally sign and decrypt emails via the S/MIME protocol using a YubiKey and the Yubico Authenticator for iOS/iPadOS application. This feature is currently supported for iPhones/iPads with iOS/iPadOS 16 or later.

Note

Only select mail clients support S/MIME decryption and/or digital signatures with a YubiKey and Yubico Authenticator on iOS/iPadOS. See Supported mail clients for details.

Smart Card on iOS allows you to easily provision a public X.509 certificate stored on your YubiKey to the iOS Keychain on your iOS/iPadOS device. The certificate’s private key remains on your YubiKey, from which it cannot be extracted.

During authentication, signing, and decryption, public certificates in the iOS keychain are easily accessible to supported applications, and private key operations are facilitated by Yubico Authenticator and performed on a YubiKey via NFC, Lighting, or USB connections.

Prerequisites

To use the Smart Card on iOS feature, you must have the following:

• Apple iPhone/iPad with iOS/iPadOS 16 or later
• YubiKey 5 Series key (5 NFC, 5C NFC, 5Ci, 5C, or 5C Nano)
• Yubico Authenticator for iOS/iPadOS (version 1.13 or later)
• Host computer
• YubiKey Manager CLI tool or Yubico Authenticator for Desktop
• Compatible mail client (needed for S/MIME decryption and digital signatures only)
• X.509 smart card certificate

X.509 certificates

The Smart Card on iOS functionality requires an X.509 certificate scoped to your desired use case. For TLS authentication, you must have a certificate capable of TLS authentication to a specific website. For digital signatures and decryption, you must have an S/MIME-capable certificate that that has been registered with your email address.

X.509 certificates in the PEM, DER, and PKCS12 formats can be imported onto a YubiKey. For Smart Card on iOS, we recommend using certificates in the PKCS12 format (which have the .p12 and .pfx file extensions) as the public certificate and the private key are both stored in the same file. Regardless of file format, both the public certificate and the private key need to be imported onto the YubiKey.

The YubiKey can store up to 24 X.509 certificates for use with the Smart Card on iOS feature, and they must be imported into one of the slots in the YubiKey’s PIV application. This includes any of the main slots (9A, 9C, 9D, and 9E) as well as the retired slots (82-95).

Contact your IT admin (if applicable) to obtain the necessary X.509 certificates for use with your organization’s resources. For individuals, you can obtain an S/MIME certificate for digital signatures and decryption directly from a Certificate Authority (CA), such as Sectigo and Actalis.

Process overview

After satisfying the prerequisites listed above, do the following to set up and use the Smart Card on iOS feature:

1. Import your smart card certificate and private key onto your YubiKey using Yubico Authenticator for Desktop or the YubiKey Manager CLI tool (ykman).
2. Provision the public certificate from your YubiKey to your iOS Keychain through the Yubico Authenticator application on your iOS device.
3. For digital signatures and decryption, configure your mail client.
4. Once the setup is complete, perform TLS authentication, sign emails, and/or decrypt emails with your YubiKey via the Yubico Authenticator application on your iOS/iPadOS device.

Getting help

If you run into issues, check out the Smart Card on iOS Troubleshooting chapter for possible solutions.