Provision Your Certificate onto Your iOS Keychain

After your smart card certificate and its private key have been imported onto your YubiKey, you must provision the certificate onto your iOS Keychain through Yubico Authenticator. After provisioning, you will be able to perform TLS authentication, signing, and/or decryption with your YubiKey and the Yubico Authenticator app.

Note

Once imported, a private key resides in the YubiKey’s secure element, from which it cannot be extracted or exported.

Provision your public certificate

  1. If you haven’t already, download and install the Yubico Authenticator application onto your iOS/iPadOS device.

    Note

    Support for TLS authentication was added in version 1.6 of Yubico Authenticator for iOS/iPadOS, and support for S/MIME signing and decryption was added in version 1.13.

  2. Open Yubico Authenticator.

  3. On the home screen of Yubico Authenticator, click on the three dots (…) in the upper right corner of the screen and select Configuration.

    _images/ios-select-configuration.jpg

  4. On the Configuration screen, select Smart card extension under the PIV section.

    _images/piv-section.jpg

  5. Insert your YubiKey into your device.

    To connect via NFC on iOS, swipe down on the screen to trigger the NFC reader and tap your YubiKey on the back of your device to scan when prompted.

    Note

    NFC wireless connections are natively supported on iOS but not on iPadOS (current iPads do not have built-in NFC readers). For a complete breakdown of Yubico Authenticator functionality by platform and connection type for each YubiKey model, see the Yubico Authenticator Functionality table.

  6. Once your YubiKey has been detected by the app, certificates stored in the four main PIV slots on your YubiKey (slots 9A, 9C, 9D, and 9E) as well as the retired key slots (82-95) will appear under the Certificates on YubiKey section. To provision the certificate from one of your PIV application slots onto your iOS Keychain, click the plus icon (+) next to the certificate name.

    In order to perform authentication, signing, or decryption, the certificate and private key you intend to use for that purpose must be stored in a slot on your YubiKey and the certificate must be provisioned onto your iOS Keychain.

  7. If the provisioning was successful, the name of your certificate will appear under the Public key certificates on iPhone section. You may remove certificates from your iOS Keychain at any time by clicking the minus icon () next to the certificate name.

    _images/add-certificate-ios.jpg

Next steps

Once the appropriate certificates have been provisioned onto your iOS Keychain, you are ready to perform TLS authentication with your YubiKey and the Yubico Authenticator app.

For digital signatures, and/or decryption, you must first configure your mail client.