When generating attestation certificates for keys, the YubiHSM will include OIDs listing specific information regarding the attested key.


Asymmetric keys in the YubiHSM can be attested by another Asymmetric key. The attestation process creates a new x509 certificate for the attested key.

The device comes pre-loaded with an attestation key and certificate referenced by ID 0. It is possible to use your own key and certificate for attestation, these then have to have the same ID and the key has to have the sign-attestation-certificate Capability set.


  • Public key is copied from the attested key
  • Serial is a random 16 byte integer
  • Issuer is the subject of the attesting certificate
  • Dates is copied from the attesting certificate
  • Subject is the string “YubiHSM Attestation id 0x” with the attested ID appended
  • If the attesting key is RSA the signature is SHA256-PKCS#1v1.5
  • If the attesting key is EC the signature is ECDSA-SHA256

Certificate Extensions

Some certificate extensions are added in the generated certificate and the pre-loaded certificate:

OID Description Data Type Firmware version Octet String Serial number Integer Origin Bit String Domains Bit String Capabilties Bit String Object ID Integer Label Utf8String


Pre-loaded certificates

The pre-loaded certificate can be fetched as an opaque object with ID 0. This will in turn be signed by an intermediate CA which is signed by a Yubico root CA.

Sample OID with Product Type