A Flutter plugin for Windows and macOS desktop applications that enables adding X.509 certificates to the local certificate store. This plugin provides a simple and efficient way to manage certificates in desktop environments.
- Add certificates to the Windows certificate store and macOS Keychain
- Support for multiple store locations (ROOT, MY) on Windows
- Various certificate addition types:
- Add new certificates only
- Add newer versions of certificates
- Replace existing certificates
- Comprehensive error handling with descriptive error codes
- Automatic PEM/DER format detection and conversion
| macOS | Windows | Linux |
|---|---|---|
| ✅ | ✅ | 🔜 |
Linux support coming soon!
dependencies:
x509_cert_store: ^1.1.1Or run:
flutter pub add x509_cert_store
To use this plugin on macOS, you need to add the Keychain access entitlement to your app:
- Add the following to your
macos/Runner/DebugProfile.entitlementsandmacos/Runner/Release.entitlementsfiles:
<key>com.apple.security.keychain</key>
<true/>- If you are creating a new macOS app, make sure to enable the App Sandbox as well:
<key>com.apple.security.app-sandbox</key>
<true/>No additional setup is required for Windows.
import 'package:x509_cert_store/x509_cert_store.dart';
// Create an instance of the plugin
final x509CertStore = X509CertStore();
// Sample certificate in base64 format
const String certificateBase64 = "MIIDKjCCAhKgAwIBAgIQFSHum2++9bhOXjAo4Z7...";
// Add a certificate to the ROOT store
try {
final result = await x509CertStore.addCertificate(
storeName: X509StoreName.root,
certificateBase64: certificateBase64,
addType: X509AddType.addNew,
);
if (result.isOk) {
print("Certificate added successfully");
} else {
print("Failed to add certificate: ${result.msg}");
// Check for specific error conditions
if (result.hasError(X509ErrorCode.alreadyExist)) {
print("Certificate already exists in the store");
} else if (result.hasError(X509ErrorCode.canceled)) {
print("User canceled the certificate installation");
}
}
} catch (e) {
print("An error occurred: $e");
}The main class for interacting with the certificate store.
Future<X509ResValue> addCertificate({required X509StoreName storeName, required String certificateBase64, required X509AddType addType})
Adds a certificate to the specified certificate store.
Specifies the certificate store location.
root- The trusted root certification authorities storemy- The personal certificate store
Specifies how to handle the certificate addition.
addNew- Add only if the certificate doesn't existaddNewer- Add only if the certificate is newer than an existing oneaddReplaceExisting- Replace any existing certificate
Common error codes that might be returned.
canceled- The user canceled the operationalreadyExist- The certificate already exists in the storeunknown- An unknown error occurred
On macOS, certificates are added to the user's login Keychain regardless of the X509StoreName value provided. The storeName parameter is effectively ignored on macOS since macOS uses a different certificate management system than Windows. Key points for macOS:
- All certificates are added to the login Keychain by default
- The user may be prompted to enter their password to allow the application to modify the Keychain
- Certificate storage location cannot be specified like in Windows (ROOT/MY distinction doesn't apply)
- Error codes may differ between platforms, but the plugin normalizes them for consistent error handling
On Windows, certificates are added to the Windows Certificate Store according to the X509StoreName value specified:
X509StoreName.rootadds to the Trusted Root Certification Authorities storeX509StoreName.myadds to the Personal Certificate store- Depending on the certificate and store location, users may see a security prompt asking for confirmation
- Administrator privileges may be required for adding certificates to certain stores
Check the /example folder for a complete implementation demonstrating:
- Adding certificates with different addition types
- Proper error handling
- Creating certificate files from base64 strings
- Platform-specific configurations
If you're contributing to this plugin or integrating it into your application, note that:
- For macOS, the plugin requires Keychain access, which is enabled through entitlements
- For Windows, the plugin uses the Windows CryptoAPI
MIT
Contributions are welcome! If you encounter any issues or have feature requests, please file them in the issue tracker.