Asymmetric keys in the YubiHSM can be attested by another Asymmetric key. The attestation process creates a new x509 certificate for the attested key.
The device comes pre-loaded with an attestation key and certificate referenced by ID 0. It is possible to use your own key and certificate for attestation, these then have to have the same ID and the key has to have the sign-attestation-certificate Capability set.
Public key will be copied from the attested key
Serial will be a random 16 byte integer
Issuer will be the subject of the attesting certificate
Dates will be copied from the attesting certificate
Subject will be the string "YubiHSM Attestation id 0x" with the attested ID appended
If the attesting key is RSA the signature will be SHA256-PKCS#1v1.5
If the attesting key is EC the signature will be ECDSA-SHA256
Some certificate extensions are added in the generated certificate and the pre-loaded certificate:
| OID | Description | Data type |
|---|---|---|
1.3.6.1.4.1.41482.4.1 |
Firmware version |
Octet String |
1.3.6.1.4.1.41482.4.2 |
Serial number |
Integer |
1.3.6.1.4.1.41482.4.3 |
Origin |
Bit String |
1.3.6.1.4.1.41482.4.4 |
Bit String |
|
1.3.6.1.4.1.41482.4.5 |
Bit String |
|
1.3.6.1.4.1.41482.4.6 |
Integer |
|
1.3.6.1.4.1.41482.4.9 |
Utf8String |
The pre-loaded certificate can be fetched as an opaque object with ID 0. This will in turn be signed by an intermediate CA which is signed by a Yubico root CA.