HID ActivClient CryptoTokenKit

HID ActivClient CryptoTokenKit (CTK) is a middleware solution providing access to the Public Key Infrastructure PKI. A framework that enables secure, electronic identities through the use of public key cryptography, including the creation, distribution, and management of digital certificates. (PKI) functionalities of smart cards and security keys on macOS. It extends the standard Apple CryptoTokenKit functionality by adding support for smart cards and keys supported by ActivClient, including non-PIV Personal Identity Verification is a United States federal standard for secure and reliable forms of identification issued by the government to federal employees and contractors. See https://csrc.nist.gov/projects/piv/piv-standards-and-supporting-documentation for more information. (General-Purpose) slots support.

ActivClient CTK is installed as part of the ActivClient setup.

How It Works

When you insert a supported smart card or key, ActivClient CTK exposes its cryptographic content, making it available for use alongside items stored in the Keychain. When a service (such as VPN, email signing, or Safari authentication) requests authentication, the system displays a list of available credentials, allowing you to select the certificate or key to use.

Advanced Smart Card Options

ActivClient CTK also enables you to interact with smart cards and keys via the command line. The following sections list the most commonly used commands for working with smart card capabilities:

Signing In Using a Token

For a more detailed description of the commands listed below, see Signing In Using a Token.

 

To manually pair a smart card with a macOS user account:

Copy 
sudo sc_auth pair -h <HASH> -u <USER>

 

To retrieve the hash value of a certificate stored on a token:

Copy 
sc_auth identities

 

To confirm that the token is paired with the user:

Copy 
sc_auth list

 

To unpair a specific certificate from macOS login:

Copy 
sudo sc_auth unpair -h <HASH>

 

To remove all pairing for a single user:

Copy 
sudo sc_auth unpair -u <USER>

 

To disable the UI for token pairing:

Copy 
sc_auth pairing_ui -s disable

 

To re-enable the UI for token pairing:

Copy 
sc_auth pairing_ui -s enable

 

Viewing Card and Certificate Information

For a more detailed description of the commands listed below, see Viewing Card and Certificate Information.

 

To view available tokens:

Copy 
sudo security list-smartcards

 

To view available certificates:

Copy 
system_profiler SPSmartCardsDataType

 

Managing Smart Card Token Modules

For a more detailed description of the commands listed below, see Managing Smart Card Token Modules.

 

To check which smart card token modules are installed:

Copy 
pluginkit -m -p com.apple.ctk-tokens

 

To disable a specific smart card token module:

Copy 
sudo security smartcards token -d <token>

 

To enable a specific smart card token module:

Copy 
sudo security smartcards token -e <token>

 

To check which smart card token modules are disabled:

Copy 
sudo security smartcards token -l

 

Tip! For a comprehensive list of available commands, refer to Apple's support page on advanced smart card options.