This document describes the attestation feature added to the PIV module in YubiKey 4.3. For actual commands to work with the attestation feature, please see the yubico-piv-tool documentation.
The concept of attestation is used to show that a certain asymmetric key has been generated on device and not imported. Typically this would be used before creating a certificate.
Attestation is implemented by creating a X.509 certificate for the key that is to be attested, this is only done if the key has been generated on device. This certificate should only be used for the purpose of verifying that the key was generated in device, not for any other purposes.
Some features of the generated certificate:
Serial will be a random 16 byte integer
Issuer will be the subject of the attesting certificate
Dates will be copied from the attesting certificate
Subject will be the string "YubiKey PIV Attestation " with the attested slot appended
If the attesting key is RSA the signature will be SHA256-PKCS#1v1.5
If the attesting key is EC the signature will be ECDSA-SHA256
Extensions in the generated certificate:
18.104.22.168.4.1.41482.3.3: Firmware version, encoded as 3 bytes, like: 040300 for 4.3.0
22.214.171.124.4.1.41482.3.7: Serial number of the YubiKey, encoded as an integer.
126.96.36.199.4.1.41482.3.8: Two bytes, the first encoding pin policy and the second touch policy
Pin policy: 01 - never, 02 - once per session, 03 - always
Touch policy: 01 - never, 02 - always, 03 - cached for 15s
188.8.131.52.4.1.41482.3.9: Formfactor, encoded as one byte
USB-A Keychain: 01
USB-A Nano: 02
USB-C Keychain: 03
USB-C Nano: 04
The YubiKey comes with a pre-loaded attestation certificate signed by a Yubico CA this can be overwritten by loading a new key and certificate to slot f9. After the Yubico key is overwritten it can not be brought back. The attestation key and certificate will not be cleared out by a reset of the device.
The root cert for the Yubico CA was updated on September 24, 2018. The prior PEM can be found here.
For more information on support added to the current root certificate, see PIV Attestation Verification Fails with OpenSSL 1.1.0.