Introduction

The Smart Card on iOS feature within Yubico Authenticator facilitates smart card Transport Layer Security (TLS) authentication to websites from within the Safari browser. This feature is currently supported for iPhones with iOS 14.2 or later.

The feature allows you to easily provision the public portion of any smart card certificate stored on your YubiKey to the iOS Keychain on your iPhone. The private key of your smart card certificate remains on your YubiKey, from which it cannot be extracted.

During TLS authentication to a website, the public certificate is accessible to Safari via iOS Keychain, and Yubico Authenticator facilitates signing with the private key stored on your YubiKey. In order to complete authentication with Yubico Authenticator, you must plug your YubiKey into your iPhone (or scan if using an NFC-enabled YubiKey) and enter your smart card certificate PIN when prompted.

_images/enter-pin.png

X.509 Certificates

Both the iOS Keychain and the YubiKey can hold X.509 smart card certificates. Certificates are stored in the PIV application on the YubiKey, which contains four “slots”, three of which can hold certificates.

To enable the Smart Card on iOS functionality, both the public certificate and the private key need to be imported onto the YubiKey.

The YubiKey Manager tool supports importing of X.509 certificates and keys in the PEM, DER, and PKCS12 formats. For Smart Card on iOS, we recommend using certificates in the PKCS12 format (which have the .p12 and .pfx file extensions) as both the public certificate and private key are stored in the same file.

Prerequisites

To use the Smart Card on iOS feature, you must have the following:

  • Apple iPhone with iOS 14.2 or later.
  • YubiKey 5 series key (5 NFC, 5C NFC, or 5Ci).
  • Yubico Authenticator iOS application.
  • Host computer.
  • YubiKey Manager GUI or CLI tool (available for Windows, Linux, and macOS).
  • X.509 smart card certificate from a website you’d like to authenticate to. We recommend using the .p12 or .pfx file types if available. Download this file directly to your computer.

Note

If your YubiKey already has a smart card certificate stored in its PIV application, you only need an iPhone, your YubiKey, and Yubico Authenticator.

Overview: Setup Process

After satisfying the prerequisites listed above, do the following to set up and use the Smart Card on iOS feature (we use the BadSSL site for the example screenshots):

  1. Import your smart card certificate onto your YubiKey using YubiKey Manager. If your YubiKey already has a certificate stored in its PIV application, skip to the next step.

    _images/gui-imported.png
  2. Provision the public certificate to your iOS Keychain through the Yubico Authenticator application on your iOS device.

    _images/add-certificate.png
  3. Authenticate to the website that requires your smart card certificate on the Safari browser.

    _images/authenticator-alert.png