Note this question is was asked in 2001. Things have changed.

I have an iOS device that needs to access a Junos VPN. The opaque instructions from the Junos admin say that I have to retrieve a certificate that has been provisioned to the device using the Apple IPCU. I know that the cert is on the device (I can see it in Settings) and I can access the VPN though Mail, Safari and the Junos App.

The Apple docs state that each app has its own keychain and yet all three of these apps can see the cert. The fact that Jusos can access a cert provisioned by IPCU implies that any app can access this certificate. However when I try to locate it:

    CFTypeRef   certificateRef = NULL;                                                  // will hold a ref to the cert we're trying to retrieve
const char *certLabelString = "myCertificateName";                                      // c string of the certificate we're searching for.
CFStringRef certLabel = CFStringCreateWithCString( NULL, certLabelString, kCFStringEncodingUTF8); // the search we need - a string match for a UTF8 String.

const void *keys[] =   { kSecClass, kSecAttrLabel, kSecReturnRef };
const void *values[] = { kSecClassCertificate, certLabel, kCFBooleanTrue };
CFDictionaryRef dict = CFDictionaryCreate(NULL, keys, values, 3, NULL, NULL);       // set up a search to retrieve this certificate.
OSStatus status = SecItemCopyMatching(dict, &certificateRef);                               // Search the keychain, returning in dict

if(status != errSecSuccess)
    NSLog(@"keychain find returned %ld", status);

if(dict)
    CFRelease(dict);

It fails. My questions:

• Is this code correct? Actually I know it isn't because SecItemCopyMatching returns errSecItemNotFound

• What value should I use for certLabelString - I am assuming the human readable name shown in Settings.

In Settings, the cert looks like this (sadly obfuscated to death) the search text I specify is exactly the text shown in settings.

Cross posted to Apple developer forums

So the answer (on the Apple forums) is that mail.app and Safari.app share the Apple keychain identifier and this is the only keychain that you can push certificates to using the Apple MDM tool. Anyone else who comes up against this should file a defect in order to encourage Apple to do the right thing.

Since middle of 2015, there is now the Safari Services framework (next to WKWebView and UIWebView, we now have a SFSafariViewController). SFSafariViewController has the ability to access the apple keychain and therefore can use all identities :) Very nice.

https://developer.apple.com/videos/play/wwdc2015/504/

https://developer.apple.com/library/ios/documentation/SafariServices/Reference/SafariServicesFramework_Ref/index.html#//apple_ref/doc/uid/TP40016218