Using Attestation

Introduction

This feature is only available in YubiKey 4.3 and newer.

A high level description of the thinking and how this can be used can be found at https://developers.yubico.com/PIV/Introduction/PIV_attestation.html

Usage

Attestation works through a special key slot called “F9” that comes pre-loaded from the factory with a key and certificate signed by Yubico’s root PIV CA.

After a key has been generated in another slot (for example, slot 9a), generate an attestation using the following commands:

yubico-piv-tool --action=generate --slot=9a
...
yubico-piv-tool --action=attest --slot=9a

The output of this command is a PEM encoded certificate, signed by the key in slot F9.

Verifying

To verify an attestation statement, step 1 is to build the certificate chain. An example verification using OpenSSL is shown below. Put the attestation root certificate in a file (TrustedCAcerts.pem in this example). The Yubico root PIV certificate can be found at https://developers.yubico.com/PIV/Introduction/piv-attestation-ca.pem

Then extract the intermediate signing certificate from slot F9 on the YubiKey:

yubico-piv-tool --action=read-certificate --slot=f9 > SlotF9Intermediate.pem

Now we’re ready to verify the attestation:

yubico-piv-tool --action=attest --slot=9a > Slot9Aattestation.pem
openssl verify -CAfile TrustedCAcerts.pem -untrusted SlotF9Intermediate.pem Slot9Aattestation.pem
attestation.pem: OK
Note

While OpenSSL, as demonstrated above, can be used as a method to test the concept of attestation verification, verification in production should be evaluated to ensure proper verifictaion.

Note

The above OpenSSL command doesn’t work with OpenSSL 1.1.0 and newer with YubiKey 4. To verify certificate chains for such devices, see PIV Attestation Verification Fails with OpenSSL 1.1.0.