Smart Card Utility for iOS & iPadOS User Guide

Created On
Last Updated On
byTimothy Perfitt
You are here:

Note: If you received your Twocanoes Store purchase and are looking for the Quick Hardware Setup Guide, visit the Quick Start Guide.

Overview

Smart Card Utility is an application that allows you to use and manage smart cards on your iOS and iPadOS devices. The Smart Card Utility Wireless Mobile, Bluetooth, Lightning, and USB-C readers work by importing the certificates from an inserted smart card and making them available to any application that requests them. For 3rd party readers, the certificates are automatically inserted.

These inserted certificates can be used by built-in applications such as Safari and Mail, as well as your device’s VPN and wireless functions. If using tokens is enabled in a third-party app, certificates are also usable there. When an app selects a certificate for authentication, the extension talks to the smart card reader to perform the authentication; the app then authenticates transparently to the reader.

Why Smart Card Utility for iOS and iPadOS?

We believe a smart card’s security shouldn’t compromise convenience and functionality. For this reason, we created Smart Card Utility for macOS in 2018, augmenting the use of and providing easier access to smart cards within macOS. 

Smart Card Utility for iOS and iPadOS not only adds smart card authentication support for Bluetooth and other readers but also brings over some functionality from our macOS utility alongside features specific to iOS and iPadOS. Along with the benefits of portability these mobile devices bring, Smart Card Utility allows iOS and iPadOS devices to support smart cards in an easy-to-use, intuitive way.

Requirements

iOS/iPadOS Device

To run the current version of Smart Card Utility for iOS, you’ll need:

  • An iPhone or iPad that supports iOS 14 or later.

Smart Card Hardware

Smart Card Utility also requires compatible hardware for full functionality, namely, a smart card and a smart card reader. This includes:

  • One of the following compatible smart cards:
    • Any PIV-compatible smart card
    • A PIV-Transitional (CAC) Card. Tested on:
      • Giesecke & Devrient Sm@rtCafe Expert v7.0 (G+D FIPS 201 SCE 7.0)

and—

  • One of the following compatible smart card readers:
    • A Smart Card Utility Wireless Mobile, Bluetooth, Lightning, or USB-C Reader from Twocanoes Software
    • Third-party reader that supports CCID

For more information, see Using Compatible Devices below.

Using Compatible Devices

Whether you purchase a smart card reader from Twocanoes or a third party, knowing how to use your compatible devices with Smart Card Utility is important. Below are some instructions on how to use all smart card readers compatible with our software.

Twocanoes Store Purchases

Twocanoes offers four readers: two Bluetooth readers and two readers that use a direct connection. All of them come with the Smart Card Utility app. 

The Bluetooth readers are the Wireless Mobile Reader and the Bluetooth Smart Card Reader. The Wireless Mobile reader is TAA compliant and on the GSA price list. You can compare the readers here.

The Lightning Reader and USB-C Reader both use a direct connection for authentication. 

Visit the  Twocanoes Store to purchase a Smart Card Utility reader from us.

Smart Card Utility Wireless Mobile Reader:
Smart Card Utility Bluetooth Reader
Smart Card Utility USB-C Reader:
Smart Card Utility Lightning Reader:

Setup for use with Smart Card Utility

Plug-in (Lightning or USB-C Devices)

Plug the smart card reader directly into your iOS or iPadOS device utilizing the port and verify that your smart card reader and your iOS/iPadOS are able to connect.

Bluetooth

Smart Card Utility Wireless Mobile and Smart Card Utility Bluetooth are a wireless, Bluetooth reader. In order to use our Bluetooth reader on your iOS or iPadOS device make sure to enable Bluetooth on your iPhone or iPad before using Smart Card Utility. 

To turn on the reader, simply press the button on the reader and wait for the indicator light. To turn off the reader, press and hold the same button. You may need to turn your reader on again throughout using Smart Card Utility, as the reader automatically turns off for security purposes and to save battery when not in use. Simply press the power button again, and your reader should connect to your device. If you have any trouble, see the Troubleshooting section.

Smart Card Utility Wireless Mobile: The blue light(first on the left with the power button on top) indicates power and the reader’s connection status. The green light(second from the left) indicates if the smart card is inserted. When the blue light is flashing, the Bluetooth reader is searching for action. When the reader connects and starts authentication, the yellow indicator light(second from the right) will start flashing, and the blue light will turn solid.

Smart Card Utility Bluetooth: The green indicator light (second from the left) indicates power, while the blue light (third from the left) indicates a Bluetooth connection. When the blue light flashes, the Bluetooth reader searches for action, and when the reader connects, the green indicator light flashes, and the contents of the inserted smart card are accessed.

App

Smart Card Utility is free to download from the Apple App Store, and no additional payment is required for any features if you purchase a Twocanoes Smart Card Reader. However, using a third-party CAC reader requires an in-app subscription purchase. Third-party readers can use all the features with the 14-day trial. After the trial ends, you’ll still be able to view the Main Interface, but you cannot read certificates from Smart Card Utility.

Initial Setup

Open Smart Card Utility and follow the onscreen prompts. Once complete, you can setup your reader.

Notifications

When first setting up Smart Card Utility, you may see a prompt like this:

In order to maintain communication about the status of your reader or certificate authorizations as you use other apps, Smart Card Utility utilizes Notifications to send important status updates about Token Status. So that Smart Card Utility can send these status updates, please turn on Notifications when first opening up the app; also, please keep them on throughout your use to ensure proper function.

If you select “Don’t Allow” by mistake, you can always go to Settings → Notifications → Smart Card Utility → Allow Notifications to turn them on:

Opening Prompts

When first opening Smart Card Utility, you’ll see the following opening prompts:

In addition to basic information about our application, you can access the Twocanoes Store to see purchasing options for Smart Card Utility hardware. Do so by tapping “Get Reader” in the top-right. Swipe through the first two pages and then select “Let’s Go!” at the bottom of the last prompt.

You can view these prompts anytime by selecting “Reset All Settings” in Settings(gear in the lower right corner), force quit the Smart Card Utility app, and when you open the apps again the opening prompts will restart. See the Settings section for more information.

Main Interface

After reading the Opening Prompts, and allowing Notifications, you will see the Main Interface. 

Each element of the interface above is listed below:

  • (i) Button: This button opens the quick start guide and video to get started.
  • Shopping Card: The shopping card icon in the lower left corner opens the Twocanoes Store to purchase our hardware readers.
  • Gear: The gear in the lower right opens the Settings view of the app. Then tap “Show Log” to view the scan log for the app. In order to view and populate the log, you must first enable logging.
  • Test: The Test button redirects to the Smart Card Utility Test Links website. This will take you to a page with a Twocanoes Test page as well as commonly used websites and the DoD profile link.
  • Add Bluetooth or Other Readers: This section displays any connected readers and allows you to connect and insert certificates. Users can also verify or change PIN.
  • Certificates Available to iOS: This section displays any certificates inserted into iOS. This can be from Smart Card Utility readers, third-party readers, or apps. Any inserted certificates can be deleted by swiping left. After the last certificate for a reader is removed, the reader is removed from the “Connected and Added Readers” section. You cannot remove certificates that have been automatically inserted by plugging in a wired reader, such as many third-party readers.
  • Settings: Settings will take you to the Smart Card Utility settings menu. You can toggle options like logging, restoring purchases, and disabling push messages there.

Reading Certificates from the Smart Card Utility Wireless Mobile, Bluetooth, Lightning, or USB-C Reader from Twocanoes Software

To use the Wireless Mobile, Bluetooth, Lightning, or USB-C reader from Twocanoes, you read only the certificate you want to use. We recommend only inserting the 9A: PIV Authentication Certificate as this is the one used for web authentication.

Full instructions on scanning are available in the Scan section of the User Guide, but this Quick Setup guide will provide condensed instructions for scanning so you can start using Smart Card Utility right away:

1. Reader & Card

For Bluetooth readers, turn on your Wireless Mobile or Bluetooth reader, insert your smart card, and stay in the Smart Card Utility app. The Bluetooth connection is done in the Smart Card Utility App, not in Apple Settings.
Plug Lightning or USB-C readers into your device’s connector and insert your smart card.

2. Connect to Reader

After the card is on and the smart card is inserted, select “Add Bluetooth or Other Reader…” a sheet with a list of available readers for connection will appear. Then, select the type of reader from the list shown. If the reader does not appear, try pulling down on the Connect to Reader windows to refresh.

The Wireless Mobile reader displays the serial number on the back, and the Bluetooth reader uses the Bluetooth ID starting with FT on the back. When connected, both the Lighting and USB-C appear as iR301.

3. Start your Scan & View Certificates

Once the reader is selected, reading and scanning the smart card certificates will begin.

If you have PIN pairing, you will prompted for the PIN on the back of your reader before you can read the certificates.

After scanning and reading a “Certificates” screen will display all of your available certificates. It is recommended that you only select the 9a:PIV authentication certificate since this is the certificate that is used for authentication in Safari.

After you tap Insert, a success message should pop up.

Trusted Certificates

To access certain Department of Defense (DoD) websites, digital certificates must be installed on iOS. To make this process easier, we provide a configuration profile that contains common certificates required for accessing DoD websites. The profile must be updated periodically to have the most recent certificates available.

Once you’ve downloaded the intermediate and root certificates, Go to Apple Settings and tap “Profile Downloaded” or go to Settings > General > VPN & Device Management.

Follow the instructions to install the profile and certificates. Tap “Install” in the top right corner:

Take note of warnings and contact your administrator to ensure that your intermediate and/or root certificates are not expired. Tap “Install” in the top right again, then tap the “Install” option in the Install Profile prompt:

Refer to Apple’s documentation if you need more support after receiving the intermediate and/or root certificates to install.

Emailing Certificates

If you’d like to share a certificate from a scanned smart card either from a scan (as above) or from viewing inserted certificates via the Main Interface, you may do so by tapping “Email Certificates” in the top-right of the “Certificates” screen. Tapping “Email Certificates” when viewing the “Certificates” screen after a scan will create a draft email containing all certificates stored on the card. Alternatively, tapping “Email Certificates” when viewing the “Certificates” screen from the Main Interface will create a draft email that includes only currently inserted certificates. Tap a reader on the Main Interface to view a list of certificates inserted with that reader.

Use the draft email as you would in the Mail app, using a secure email account to send when necessary. Take care to delete any certificates you do not wish to send by highlighting or moving your cursor in front of the file you want to remove, then pressing backspace to delete the file as you would text. If Mail is not set up, you will receive an error when tapping the “Email Certificates” button.

Certificate Details

If you select a certificate from the “Certificates” screen, you can also view its details. These details include:

  • Certificate Information
  • Subject
  • Issuer
  • Signature
  • Public Key
  • Extensions

Using Certificates

After inserting a certificate identity, you can use it in any capacity that requires PIV authentication. Below are some common examples:

Safari 

These videos use earlier builds of Smart Card Utility, but still effectively demonstrate the process of using Safari with certificates inserted via Smart Card Utility

After inserting a certificate, you can use it for PIV authentication on websites in Safari, similar to how you would on a desktop.

With your smart card/smart card reader inserted, the website you attempt to use PIV authentication with will prompt you for a PIN. Enter your PIN as you normally would and authentication should occur as normal. View the above video for an example of how to use a PIV smart card in Safari on iOS/iPadOS. Note: your Bluetooth reader may power off for security purposes, though it is easily turned on again. See Bluetooth Setup for details.

Settings

Viewing Inserted Root Certificates

Within the iOS Settings app, inserted certificates also provide additional functionality. 

If you’ve inserted an intermediate and/or root certificate to trust certificates inserted via Smart Card Utility, you can easily view those installed certificates. To view, go to General → VPN & Device Management:

On iOS or iPadOS, go to General → Profile and Device Management:

On iOS or iPadOS, below “VPN,” you will see any certificates that are used for authentication, separated by category if applicable:

In iOS or iPadOS, you’ll see the certificates alone in Profile & Device Management, separated by category if applicable:

VPN Setup

VPN configurations can also be made with the help of stored certificates, including those inserted via Smart Card Utility. 

To set up a VPN in Settings on iOS/iPadOS 15 or later, go to General → VPN & Device Management → VPN → Add VPN Configuration:

Tapping “Add VPN Configuration” will redirect you to the VPN Setup screen:

On iOS/iPadOS 14, VPN and Device Management Settings are in separate sections of General Settings. Go to General → VPN → Add VPN Configuration:

Set up your VPN as you would in any other instance on iOS/iPadOS (contact your administrator for more information on setting up a VPN). Within the “Add VPN Configuration” menu, change your “User Authentication” option to “Certificate”. Return to the “Add VPN Configuration” menu, select the new “Certificate” option below “User Authentication” in the AUTHENTICATION section, and choose your previously inserted certificate from the list shown. Below is an example:

Select the certificate from the list that you’d like to use. It may be that there’s only one certificate, your inserted certificate, on the list. In this case there’s two: we’ll use “TCS PIV Auth” and not “Test Certificate”:

If you do not see your certificate in your list, it may be that the certificate was not inserted properly. Try insertion again by removing your identities, going through the scan process again, and inserting your desired certificate identities.

You may also have to browse through a list of available certificates to find the one you wish to use. To help distinguish between certificates during selection, Apple includes the “Issuer” and the “Expiration Date” of the certificate alongside the name. If your listed certificates use duplicate or similar names, view Certificate Details to match the “Issuer” and “Expiration Date” of the certificate you wish to use to your certificate on this list.

If you return to the “VPN Setup” screen by tapping “Back” in the top left of the Certificate selection, you should see your certificate selected under AUTHENTICATION:

To change your certificate during VPN Setup, click on “Certificate” again and repeat the steps above. Continue setting up your VPN as normal.

Wi-Fi

If you’d like to set up a WPA2 Enterprise or WPA3 Enterprise network connection on your iOS/iPadOS device, you may also do so with the use of an installed certificate, including those inserted with Smart Card Utility.

On your iOS/iPadOS device, go to Settings → Wi-Fi → Other Networks → Other… to go to the “Other Network” screen in Settings. You may have to scroll down past your current connection, “MY NETWORKS” and “PUBLIC NETWORKS”, to reach this option, which is at the bottom of the “OTHER NETWORKS” section.

Then, select the desired encryption type in Security (WPA2 Enterprise or WPA3 Enterprise). Change the Mode at the bottom to “Automatic” to “EAP-TLS”. “Identity” should appear under the “Username” field; tap “Identity” and select your inserted identity for use. Below is an example:

Select the identity from the list that you’d like to use. All considerations from the Certificate list in VPN Setup apply here as well.

Notifications

While using Smart Card Utility and other apps, you should see notifications appear at the top of the screen, such as this one:

While using other apps or websites, Smart Card Utility can send notifications on the reader’s status and authentication. This may include whether the reader has disconnected or powered off, battery life, or successful authentication.

As there is no unified interface that allows for Smart Card Utility to communicate Token Status while outside the app, save for Notifications, it’s important to make sure you turn Notifications on when setting up Smart Card Utility and leave this on when using the app. See the Notifications section of the Setup portion of this guide for more information.

Example Walkthrough

For those who wish to see a full example walkthrough, below is a demonstration video created on an earlier build of Smart Card Utility, though most instructions still apply to current builds:

For customers who would like to see an updated walkthrough of testing, you can do so by watching the Test portion of the Smart Card Utility Reader Setup video:

Support and Troubleshooting

We know that using smart cards can be tricky sometimes, so we made Smart Card Utility to make it a bit easier. While we hope you don’t run into any problems with our software, we are here to help if you do! 

Feel free to email support@twocanoes.com with any questions or issues for submit a ticket here. Below, you’ll find some resources that will be useful if you run into any problems when using Smart Card Utility.

Knowledge Bases

While this User Guide is updated regularly, we frequently add articles about all our products to the Twocanoes Knowledge Base to guide users through specific concerns. Visit our Knowledge Base page or the Smart Card Utility Category for specific help. 

Authentication Issues

If authentication with your certificate is unsuccessful, try the following steps:

  1. Verify you have the required certificates installed
    • For US Government/Department of Defense customers, install the root and intermediate certificates by following the instructions on the Installing Intermediate Certificates page
  2. Toggle Bluetooth on and off on the iOS device
  3. Verify the reader is on when the PIN prompt is showing
  4. Click on “Test” and verify that the inserted certificates are seen by iOS. To do so:
    • Navigate to Settings→General→VPN and Device Management→VPN→Add VPN Configuration
    • Change User Authentication to “Certificate” and verify your smart card certificate is shown
    • Note: you can verify that your certificate appears via the VPN menu, but a VPN does not need to be set up
  1. Try resetting your device, software, and Bluetooth settings. You can find a video on how to Resetting your Smart Card here for Wireless Mobile
  2. If the certificates are not shown, enable logging in Smart Card Utility settings, then tap “Log” after use to identify the issue. To resolve the issue, you may either:
  3. Open Console on a Mac and click on the iOS device to show the logs.
    • Use “subsystem:com.twocanoes.logger” as a filter, shown in the screenshot below:

Identifying Certificates as Trusted or Untrusted

In certain cases, your certificate may need to be trusted for authentication.

If attempting to accurately view which certificates are trusted immediately after installing an intermediate and/or root certificate, it’s best to:

  • Refresh the Main Interface by pulling down (if examining inserted certificates), or 
  • Re-scan your smart card (to view which certificates are trusted if not yet inserted)

Free Trial Troubleshooting

If running into issues with your free trial length, make sure your time is set to “Automatic” in the iOS Settings app.

Keep In Touch

Sign up for Smart Card Utility security and product updates.

Sign Up for Smart Card Utility product and security updates

Tags: