ios kSecClassCertificate yields -25303

I'm trying to store p12(pfx) certificate into keychain on ios with code from keychainswift essentially, just the klass changed from password to certificate:

open func setCertificate(_ value: Data, forKey key: String,
  withAccess access: KeychainSwiftAccessOptions? = nil) -> Bool {
  // The lock prevents the code to be run simultaneously
  // from multiple threads which may result in crashing
  defer { lock.unlock() }
  deleteNoLock(key) // Delete any existing key before saving it

  let accessible = access?.value ?? KeychainSwiftAccessOptions.defaultOption.value
  let prefixedKey = keyWithPrefix(key)
  var query: [String : Any] = [
    KeychainSwiftConstants.klass      : kSecClassCertificate,
    KeychainSwiftConstants.attrAccount : prefixedKey,
    KeychainSwiftConstants.valueData   : value,
    KeychainSwiftConstants.accessible  : accessible
  query = addAccessGroupWhenPresent(query)
  query = addSynchronizableIfRequired(query, addingItems: true)
  lastQueryParameters = query
  lastResultCode = SecItemAdd(query as CFDictionary, nil)
  return lastResultCode == noErr

getting -25303 (invalid attribute that is) Should I piecemeal store separetely identity, certificate chain and trust with different keys for this to work?

what's the difference between kSecClassCertificate and kSecClassPassword klasses of storage given that we have keychains sandboxes and without GUI? is this for forward compatibility with macos or something?

PS. Apple please attempt to find a tech writer who can fix the horrendous documentation around security framework. Thanks!


  • All the available attributes for a certificate are mentioned in the documentation. I believe your attrAccount is an invalid parameter and I feel, but I'm not sure that the valueData might be invalid. So remove at least the attrAccount and possibly the valueData.