Note: If you received your Twocanoes Store purchase and are looking for the Quick Hardware Setup Guide, visit https://twocanoes.com/piv-getting-started.
Smart Card Utility is an application that allows you to use and manage smart cards on your iOS or iPadOS device. It works by importing the certificates from an inserted smart card and making them available to any application that requests them. Built-in applications such as Safari and Mail, as well as the VPN and wireless functions of your device, can use these imported certificates. If using tokens is enabled in a third-party app, certificates are also usable there. When an app selects a certificate for authentication, the extension in Smart Card Utility talks to the smart card reader to perform the authentication; the app then authenticates transparently to the reader.
Why Smart Card Utility for iOS and iPadOS?
We believe that the security of a smart card shouldn’t compromise convenience and functionality. For this reason, we created Smart Card Utility for macOS in 2018, augmenting the use of, and providing easier access to, smart cards within macOS.
However, unlike macOS, iOS and iPadOS devices do not natively support the use of smart cards for authentication. Smart Card Utility for iOS and iPadOS not only adds smart card authentication support, but also brings over some functionality from our macOS Utility alongside features specific to iOS and iPadOS. Along with the benefits of portability these mobile devices bring, Smart Card Utility allows iOS and iPadOS devices to support smart cards in an easy-to-use, intuitive way.
To run the current version of Smart Card Utility for iOS, you’ll need:
- iPhone 6S/iPhone SE/iPod touch 7th generation or later
- iOS 14.0 or later
To run the current version of Smart Card Utility for iPadOS, you’ll need:
- iPad (5th generation)/iPad mini 4/iPad Air 2/iPad Pro or later
- iPadOS 14.0 or later
For functions requiring a Lightning port, you’ll need one of the following devices:
- iPhone 6S or later
- iPhone SE or later
- iPod touch 7th generation or later
- iPad (5th generation or later)
- iPad mini 4/iPad mini (5th generation)
- iPad Air 2/iPad Air (3rd generation)
- iPad Pro:
- 12.9-inch (1st and 2nd generation)
For functions requiring a USB-C connector, you’ll need one of the following iPad models:
- iPad Pro 12.9-inch (3rd generation or later)
- iPad Pro 11-inch
- iPad Air (4th generation or later)
- iPad mini (6th generation or later)
Smart Card Hardware
Smart Card Utility also requires compatible hardware for full functionality, namely, a smart card and a smart card reader. This includes:
- One of the following compatible smart cards:
- Any PIV-compatible smart card
- A PIV-Transitional (CAC) Card. Tested on:
- Giesecke & Devrient Sm@rtCafe Expert v7.0 (G+D FIPS 201 SCE 7.0)
- One of the following compatible smart card readers:
—or, the following all-in-one solutions from a third party, containing both a smart card and a reader—
- iOS/iPadOS device compatible YubiKey devices (i.e., Lightning or USB-C connections)
For more information, see Using Compatible Devices below.
Using Compatible Devices
Whether you purchase a smart card reader from Twocanoes or a third party, it is important to know how to use your compatible devices with Smart Card Utility. Below are some instructions on how to use all smart card readers compatible with our software:
Smart Card Utility Bluetooth, Smart Card Utility USB-C, and the Smart Card Utility Lightning all contain FEITIAN-based readers alongside other purchase contents. However, FEITIAN readers purchased through a third party and listed in the Smart Card Hardware Requirements are also compatible with Smart Card Utility, though they do not contain a hardware activation code.
Twocanoes Store Purchases
Twocanoes offers three hardware packages for Smart Card Utility. Each hardware purchase includes a license of our Smart Card Utility software in the price of the package.
The first two packages, Smart Card Utility Bluetooth and Smart Card Utility USB-C, provide a wireless solution for iPhone/iPad and a wired solution for iPad Pro, respectively. Smart Card Utility Lightning provides a wired solution for all iOS or iPadOS devices with a Lightning port.
Listed below are the technical specifications for hardware packages sold through the Twocanoes Store:
Smart Card Utility Bluetooth:
- FEITIAN bR301 BLE Contact Bluetooth 4.2 Smart Card Reader (Casing: C45)
Smart Card Utility USB-C:
- FEITIAN iR301-U Card Reader
- 1.5′ USB 3.2 Gen 2 Type-C Male to Female Extension Cable
- Zaught Lightning to USB-C Adapter
- Custom Enclosure
(iPad, iPad case, and keyboard not included)
Smart Card Utility Lightning:
- FEITIAN iR301 Moblie Dongle Reader
As Twocanoes smart card readers are FEITIAN-based, please select “FEITIAN Reader” when scanning with any Twocanoes Reader (more information in Scan below).
Setup for use with Smart Card Utility
Plug-in (Lightning or USB-C Devices)
To insert a smart card reader to your iOS or iPadOS device utilizing a Lightning port, verify that your smart card reader and your iOS/iPadOS are able to connect. If using a compatible Lightning reader, such as Smart Card Utility Lightning, you may connect it to your iOS/iPadOS device via the Lightning connector.
However, if your device has a USB-C connector, you are unable to use the FEITIAN iR301-U without a Lightning to USB-C Adapter. Smart Card Utility USB-C is meant specifically for use on iPad Pro, which has a USB-C connector instead of Lightning. If you have not purchased the Smart Card Utility USB-C, you are still able to use a third-party FEITIAN iR301-U on a USB-C connector iPad with the help of a Lightning to USB-C adapter, though we cannot guarantee your third-party adapter will be compatible with your Apple device.
Similarly, older YubiKey models that don’t support USB-C may be usable on USB-C connector iPads with the use of an adapter (more information here).
Note: Due to the hardware limitations of your device, using a Bluetooth FEITIAN Reader via the Micro-USB cable and an adapter is not supported on iPadOS or iOS.
Smart Card Utility Bluetooth comes with the aforementioned FEITIAN Bluetooth reader included. In order to use our Bluetooth reader on your iOS or iPadOS device, as well as your own FEITIAN Bluetooth reader, make sure to turn enable Bluetooth on your iPhone or iPad before using Smart Card Utility.
To turn on the reader, simply press the button on the bottom, between the indicator lights and the USB connector. To turn off the reader, press and hold the same button. You may need to turn your reader on again throughout your use of Smart Card Utility, as the reader automatically turns off for security purposes when switching applications. Simply press the power button again and your reader should connect to your device. If you have any trouble, See the Troubleshooting section.
The green indicator light (second from the left) indicates power, while the blue light (third from the left) indicates Bluetooth connection. When the blue light is flashing, the FEITIAN reader is searching for a Bluetooth connection. When the green indicator light is flashing, the contents of the inserted smart card are being accessed.
Smart Card Utility also supports compatible YubiKey devices, i.e., those with Lightning or USB-C connectors that insert into your iOS or iPadOS device.
Compared to FEITIAN readers, setup is relatively easy: just insert your YubiKey into your iOS or iPadOS device.
To download Smart Card Utility on iOS or iPadOS, search for “Smart Card Utility” on the Apple App Store. Those who have purchased hardware from us (i.e., Smart Card Utility Bluetooth, Smart Card Utility USB-C, or Smart Card Utility Lightning) receive a hardware activation code for the software. If using your own supported hardware purchased via a third party, you must purchase the full version of the app within Smart Card Utility at the end of your free trial. See Trial/Purchase for more details.
Before using Smart Card Utility right away, please follow the onscreen prompts:
When first setting up Smart Card Utility, you may see a prompt like this:
In order to maintain communication about the status of your reader or certificate authorizations as you use other apps, Smart Card Utility utilizes Notifications to send important status updates about Token Status. So that Smart Card Utility can send these status updates, please turn on Notifications when first opening up the app; also, please keep them on throughout your use to ensure proper function.
If you select “Don’t Allow” by mistake, you can always go to Settings → Notifications → Smart Card Utility → Allow Notifications to turn them on:
When first opening Smart Card Utility, you’ll see the following opening prompts:
In addition to basic information about our application, you also have the ability to access the Twocanoes Store to see purchasing options for Smart Card Utility hardware. Do so by tapping “Get Reader” in the top-right, though you also have access to store redirection once you exit the opening prompts and view the Main Interface. To exit the opening prompts, tap “Let’s Go!” at the bottom of the last prompt.
You can view these prompts anytime by selecting “Reset Prompts” in Settings, force quitting Smart Card Utility, and opening the app again. See the Settings section for more information.
Smart Card Utility is free to download and contains a trial period of two weeks. However, the full use of our software requires an in-app purchase or a hardware activation code to allow for continued use. If you do not have a hardware activation code for Smart Card Utility and would like to purchase the full version, you may do so from the above in-app purchase prompt upon opening Smart Card Utility. Prices may vary from the information shown here. To dismiss this prompt during the free trial, you may press “Continue” or swipe away the panel. When your free trial ends, you’ll still be able to view the Main Interface, but this prompt will chang to “your trial is now complete” and prevent you from using the full functionality of our software:
Those who purchase Smart Card Utility Bluetooth, Smart Card Utility USB-C, or Smart Card Utility Lightning have a hardware activation code; for customers with any of our Smart Card Utility hardware products, please refer to the instructions in your purchase package and email to use the hardware activation code instead of making an in-app purchase.
After reading the Opening Prompts, allowing Notifications, and acknowledging purchasing the full version (or acknowledging the free trial) of Smart Card Utility, you will see the Main Interface. Before further use, it is recommended to Activate your Twocanoes smart card reader, as the free trial prompt will continue to appear in front of the Main Interface until the full app is purchased or your hardware is activated. See Activate Reader below for more information.
Each element of the interface above is listed below:
- Log: Shows the scan log for the app. In order to view and populate the log, you must first enable Logging in Settings. After doing so, tapping the Log button in the Main Interface will allow you to view the log text. From there, you can copy and paste sections for diagnostic use, share all text to other applications (Mail, Notes, Messages, etc.) using the “Share” button in the top right, or clear the log using the “Clear” button to the left of “Share”:
- Test: Tapping Test redirects to the Smart Card Utility Test Links website for use with inserted identities without leaving the app; this is done on an in-app browser. While using the in-app browser, Logging allow you to log any issue you have with certificate authentication. See the Example Walkthrough for more information on using this test website
- Information Button (ⓘ): Redirects to this guide
- Get Reader: Redirects to the Smart Card Utility purchase page, where you can buy our hardware packages with included software.
- Scan: Begins the scanning process for smart cards. See Scan below for more information
- Inserted Identities: All scanned identities will appear in the Inserted Identities list. See Inserting Certificates for more information
- Remove/Remove All: Allows you to remove inserted identities from the main window. See Removing Identities from the Main Interface for more information
- Activate Reader: (More Information in the Quick Hardware Setup Guide) Tapping this button will take you to an entry field. Enter your reader’s hardware code here and tap “OK” to unlock the full application. A successful prompt should show; if not, tap “OK” and try again:
- Settings: Tapping settings will take you to the settings menu of Smart Card Utility (not the built-in Settings application). There, you can toggle Logging and Reset the Opening Prompts:
In order to view or store certificate identities in Smart Card Utility, you must first Scan them. Below, we’ll walk you through a Scan to familiarize you with the process.
Before starting a Scan, make sure Bluetooth is turned on if using a Bluetooth smart card reader.
Begin by tapping “Scan” at the top of the Main Interface.
Selecting Reader Type (Smart Card Reader Connection)
After tapping “Read Certificates”, the above prompt will appear to select your smart card reader type. Here, in the Smart Card Reader Connection Menu, select the type of smart card reader you will use to continue with your smart card Scan.
After completing reader setup (see Setup for use with Smart Card Utility) and waiting for your smart card reader to appear, you should see a list of available readers in the previously empty scan list:
Tap the desired smart card reader to view the certificates on the smart card connected to it.
After reader selection, the scanning process begins. While you may see the details of the Scan in the Log (if enabled) after completing the Scan, you will be redirected to the Certificates Screen after a few moments without the need for any user input. While the scan is completing, do not attempt to interact with the Main Interface, as inputs are disabled.
You also have the ability to refresh the reader list by pulling down on the list itself. If your reader does not appear at first, Refreshing the list will be helpful in ensuring that the list of connected readers is current, in addition to resetting your Bluetooth connection (see Troubleshooting for more details).
After successfully selecting and scanning a smart card reader, Smart Card Utility will redirect you to the Certificate Screen. See the Certificates section for use. Note: it may take up to 15 seconds to redirect to the Certificate Menu. No user input is needed while redirecting, so no need to interact with the Main Interface while Smart Card Utility does the work securely and behind the scenes.
Removing Identities from the Main Interface
After identities are Scanned and inserted, they can be easily removed individually or all at once. This may be useful in clearing a device, removing out-of-date certificates, or any other purpose you may find removing certificates from your device necessary.
Selecting and Removing
In order to remove only certain identities, tap “Remove” next to the identity you wish to remove. No other tapping or highlighting is required.
While there is no prompt confirming the removal of your certificate, it will be deleted from your device, disappear from the Inserted Identities list, and no longer appear for use in other applications. If accidentally removed, there are no restrictions from Scanning certificates again after removal, though you may need to enter a PIN again when used for authentication outside of the Smart Card Utility app.
In order to remove all identities, tap the “Remove All” button at the top-right of the main interface.
After Scanning your smart card via the Scan methods detailed above, you are able to view the certificates contained on the smart card itself on the Certificates Screen, alongside an Email Certificates button (see Emailing Certificates) and the number of PIN Attempts Remaining for your smart card:
For example, this Scanned smart card has two certificates, named “9a:PIV Authentication” and “9e:Card Authentication”. On this screen, you can insert, email, or view the details of certificates stored on the Scanned smart card. Once a smart card is inserted, you may still email or view the details of those certificates by accessing them on the Main Interface.
Like in the example above, the certificates on your smart card can appear colored red: this means they are untrusted certificates. To trust the certificates, being by speaking with your administrator to install intermediate and/or root certificates on your iOS/iPadOS device via the Settings app as needed.
Once you’ve downloaded the intermediate and/or root certificates, visit the Settings App and Tap “Profile Downloaded”:
Follow the instructions to install the profile and certificates. Click Install in the top right corner:
Take note of warnings and contact your administrator to ensure that your intermediate and/or root certificates are not expired. Tap Install in the top right again, then tap the “Install” option in the Install Profile prompt:
Once installation is complete, they can be used by Smart Card Utility to verify Certificates as trusted.
Refer to Apple’s documentation if you need more support after receiving the intermediate and/or root certificates to install.
Now, your certificate will appear within the name of the reader used for importing on the Main Interface after tapping “Back” in the top-left.
Here, we’ve gone through the insertion process for both certificates on the example smart card used. This Certificates Screen is nearly identical to the one used during a Scan. However, only inserted certificates will appear, insertion is removed (as it already occurred during the Scan for these certificates), and “PIN Attempts Remaining” is also removed (as the smart card with the PIN is not being read directly, rather the inserted certificates are being viewed).
If you’d like to share a certificate from a scanned smart card either from a Scan (as above) or from viewing inserted certificates via the Main Interface, you may do so by tapping “Email Certificates” in the top-right of the Certificates Screen. If emailing while viewing the Certificates Screen redirected from a Scan, all certificates stored on the card will appear in the draft; if emailing after insertion and accessing the Certificates Screen from the Main Interface, only inserted certificates will appear. Again, to access certificates after insertion, tap the reader with the associated certificate identities on the Main Interface to view a list of certificates inserted with that reader:
After tapping the “Email Certificates” button, a Mail draft will appear.
Use this draft as you would the Mail app, using a secure email account to send when necessary, but take care to delete any certificates you do not wish to send by highlighting or moving your cursor in front of the file you wish to remove, then pressing backspace to delete the file as you would text. Any keyboard or mouse connected to your iOS or iPadOS device may also be used when editing this draft.
Make sure to set up the built-in Mail app (i.e, add an email address in the Settings app and complete setup within Mail) before emailing certificates, as this feature requires a completed setup. If Mail is not set up, you will receive an error message when tapping the “Email Certificate” button.
If you select a certificate from the certificate screen, you can also view its certificate details. These details include:
- Certificate Information
- Public Key
After inserting a certificate identity, you can use it in any capacity that requires PIV authentication. Below are some common examples:
These videos use earlier builds of Smart Card Utility, but still effectively demonstrate the process of using Safari with certificates inserted via Smart Card Utility
After inserting a certificate, you can use it for PIV authentication on websites in Safari, similar to how you would on a desktop.
With your smart card/smart card reader inserted, the website you attempt to use PIV authentication with will prompt you for a PIN. Enter your PIN as you normally would and authentication should occur as normal. View the above video for an example of how to use a PIV smart card in Safari on iOS/iPadOS. Note: your Bluetooth reader may power off for security purposes, though it is easily turned on again. See Bluetooth Setup for details.
Viewing Inserted Root Certificates
Within the built-in Settings app, inserted certificates also provide additional functionality.
If you’ve inserted an intermediate and/or root certificate to trust certificates inserted via Smart Card Utility, you can easily view those installed certificates. To view, go to General → VPN & Device Management:
Those on iOS/iPadOS 14, go to General → Profile and Device Management:
On iOS/iPadOS 15, below “VPN”, you will see any Certificates that are used for authentication, separated by category if applicable:
In iOS/iPadOS 14, you’ll see the Certificates alone in Profile & Device Management, separated by category if applicable:
VPN Configurations can also be made with the help of stored certificates, including those Inserted via Smart Card Utility.
To set up a VPN in Settings on iOS/iPadOS 15 or later, go to General → VPN & Device Management → VPN → Add VPN Configuration:
Tapping “Add VPN Configuration” will redirect you to the VPN Setup screen:
On iOS/iPadOS 14, VPN and Device Management Settings are in separate sections of General Settings. Go to General → VPN → Add VPN Configuration:
Setup your VPN as you would in any other instance on iOS/iPadOS (contact your administrator for more information on setting up a VPN). Within the “Add VPN Configuration” menu, change your User Authentication option to “Certificate”. Return to the Add VPN Configuration Menu, select the new “Certificate” option below “User Authentication” in the AUTHENTICATION section, and choose your previously inserted certificate from the list shown. Below is an example:
Select the certificate from the list that you’d like to use. It may be that there’s only one certificate, your inserted certificate, on the list. In this case there’s two: we’ll use “TCS PIV Auth” and not “Test Certificate”:
If you do not see your certificate in your list, it may be that the certificate was not inserted properly. Try insertion again by removing your identities, going through the Scan process again, and inserting your desired certificate identities.
You may also have to browse through a list of available certificates to find the one you wish to use. To help distinguish between certificates during selection, Apple includes the Issuer and the Expiration Date of the certificate alongside the name. If your listed certificates use duplicate or similar names, view Certificate Details to match the Issuer and Expiration Date of the certificate you wish to use to your certificate on this list.
If you return to the VPN Setup screen by tapping “Back” in the top left of the Certificate selection, you should see your Certificate selected under AUTHENTICATION:
To change your certificate during VPN Setup, click on Certificate again and repeat the steps above. Continue setting up your VPN as normal.
If you’d like to set up a WPA2 Enterprise or WPA3 Enterprise network connection on your iOS/iPadOS device, you may also do so with the use of an installed certificate, including those Inserted with Smart Card Utility.
On your iOS/iPadOS device, go to Settings → Wi-Fi → Other Networks → Other… to go to the “Other Network” screen in Settings. You may have to scroll down past your current connection, “MY NETWORKS” and “PUBLIC NETWORKS”, to reach this option, which is at the bottom of the “OTHER NETWORKS” section.
Then, select the desired encryption type in Security (WPA2 Enterprise or WPA3 Enterprise). Change the Mode at the bottom to “Automatic” to “EAP-TLS”. “Identity” should appear under the “Username” field; tap “Identity” and select your inserted identity for use. Below is an example:
Select the identity from the list that you’d like to use. All considerations from the Certificate list in VPN Setup apply here as well.
While using Smart Card Utility and other apps, you should see notifications appear at the top of the screen, such as this one:
While using other apps on your iOS or iPadOS device to authenticate with certificates, Smart Card Utility will send Notifications to keep you updated on Token Status. This may include whether the reader may have powered off, as shown above, or if Authentication was successful for a particular certificate.
As there is no unified interface that allows for Smart Card Utility to communicate Token Status while outside the app, save for Notifications, it’s important to make sure you turn Notifications on when setting up Smart Card Utility and leave them on throughout your use of Smart Card Utility. See the Notifications section of the Setup portion of this guide for more information.
For those who wish to see a Full Example Walkthrough, below is a demonstration video created on an earlier build of Smart Card Utility, though most instructions still apply to current builds:
For customers who would like to see an updated walkthrough of testing, you can do so by watching the Test portion of the Smart Card Utility Reader Setup video:
Appearance & OS
This guide uses screenshots of Smart Card Utility on iPadOS 14 and 15, with Landscape Orientation and Light Mode enabled. However, Smart Card Utility also allows for the flexibility of customizing your experience in the following ways:
iOS and iPadOS
While this guide uses iPadOS Screenshots, users are able to accomplish all functions shown just as well on iOS. Below are some examples of the more compact interface we’ve created for iOS:
As shown in the iOS screenshots, you are able to use Smart Card Utility in either Portrait or Landscape Mode. All functions are available in either orientation, and you’re able to use orientation lock as you normally would on your device. Visit Apple’s help pages on Rotation in iOS and iPadOS for more information on how to rotate on your device.
For use at all times of day and for all viewing experiences, we’ve also included support for Dark Mode in Smart Card Utility. Turn on Dark Mode as you normally would, either in Settings or Control Center (available by swiping down at the top-right of your iOS or iPadOS device’s screen); Smart Card Utility will automatically match your device’s Settings in-app, no setup required. Visit Apple’s support page to learn more about using Dark Mode.
We know that using smart cards can be tricky sometimes; that’s why we made Smart Card Utility to make use a bit easier. While we hope you don’t run into any problems with our software, we are here to help if you do!
Below you’ll find some resources that will be useful if you run into any issues when using Smart Card Utility:
To troubleshoot Twocanoes third-party smart card readers, including Bluetooth Issues, please see our article on using FEITIAN-based readers with Smart Card Utility.
For troubleshooting software, please see the issues below. This page will be updated with troubleshooting guidance upon new releases of Smart Card Utility if necessary.
If authentication with your certificate is unsuccessful, try the following steps:
- Verify you have the required certificates installed
- For US Government/Department of Defense customers, install the root and intermediate certificates by following the instructions on the Installing Intermediate Certificates page
- Toggle Bluetooth on and off on the iOS device
- Verify the reader is on when the PIN prompt is showing
- Click on “Test” and verify that the inserted certificates are seen by iOS. To do so:
- Navigate to Settings→General→VPN and Device Management→VPN→Add VPN Configuration
- Change User Authentication to “Certificate” and verify your smart card certificate is shown
- Note: you can verify that your certificate appears via the VPN menu, but a VPN does not need to be set up
- Try rebooting your device.
- If the certificates are not shown, enable logging in Smart Card Utility settings, then tap “Log” after use to identify the issue. To resolve the issue, you may either:
- View the log on your own, or
- Share this log with email@example.com
- Open Console on a Mac and click on the iOS device to show the logs.
- Use “subsystem:com.twocanoes.logger” as a filter, shown in the screenshot below:
Identifying Certificates as Trusted or Untrusted
In certain cases, your certificate may need to be trusted for authentication.
If attempting to accurately view which certificates are trusted immediately after installing an intermediate and/or root certificate, it’s best to:
- Refresh the Main Interface by pulling down (if examining inserted certificates), or
- Re-Scan your smart card (to view which certificates are trusted if not yet inserted)
Free Trial Troubleshooting
If running into issues with your free trial length, make sure your time is set to “Automatic” in your Settings app.
While this User Guide is updated regularly, we frequently add articles about all our products to the Twocanoes Knowledge Base to guide users through specific concerns. Visit our Knowledge Base page or the Smart Card Utility Category for specific help.
All customers who purchase Smart Card Utility Bluetooth, Smart Card Utility USB-C, or Smart Card Utility Lightning receive a 90-Day Support Package; use the information in your purchase email to access both email and phone support. Additionally, customers can purchase additional Assessment Support to help you assess the needs of your organization. If you’d like to inquire further about what Assessment Support includes, or would like to contact us for Support Inquiries as part of your Support Plan, please contact us. If you are interested in purchasing support for yourself or for your organization, you may also contact us for information support plans. For information on quotes, please visit our quotes page.