Using Attestation


This feature is only available in YubiKey 4.3 and newer.

A high level description of the thinking and how this can be used can be found at


Attestation works through a special key slot called “f9” this comes pre-loaded from factory with a key and cert signed by Yubico, but can be overwritten. After a key has been generated in a normal slot it can be attested by this special key, this can be realised by using the yubico-piv-tool action attest:

yubico-piv-tool --action=generate --slot=9a
yubico-piv-tool --action=attest --slot=9a

The output of this is a PEM encoded certificate, signed by the key in slot f9.


To verify an attestation step 1 is to build the certificate chain. Put the attestation root certificate in a file (or if you trust several put all of them in said file). The Yubico root certificate can be found at

Then add the keys attestation certificate to that file:

yubico-piv-tool --action=read-certificate --slot=f9 >> certs.pem

Now we’re ready to verify the attestation:

yubico-piv-tool --action=attest --slot=9a > attestation.pem
openssl verify -CAfile certs.pem attestation.pem
attestation.pem: OK

The above OpenSSL command doesn’t work with OpenSSL 1.1.0 and newer with YubiKey 4. To verify certificate chains for such devices, see PIV Attestation Verification Fails with OpenSSL 1.1.0.