Asymmetric keys in the YubiHSM can be attested by another Asymmetric key. The attestation process creates a new x509 certificate for the attested key.
The device comes pre-loaded with an attestation key and certificate referenced by ID
0. It is possible to use your own key and certificate for attestation, these then have to have the same ID and the key has to have the
sign-attestation-certificate Capability set.
- Serial will be a random 16 byte integer
- Issuer will be the subject of the attesting certificate
- Dates will be copied from the attesting certificate
- Subject will be the string
YubiHSM Attestation id 0xwith the attested ID appended
- If the attesting key is RSA the signature will be SHA256-PKCS#1v1.5
- If the attesting key is EC the signature will be ECDSA-SHA256
Some certificate extensions are added in the generated certificate and the pre-loaded certificate:
|126.96.36.199.4.1.41482.4.1||Firmware version||Octet String|
|188.8.131.52.4.1.41482.4.4||Concept: Domain||Bit String|
|184.108.40.206.4.1.41482.4.5||Concept: Capability||Bit String|
|220.127.116.11.4.1.41482.4.6||Concept: Object ID||Integer|
The pre-loaded certificate can be fetched as an opaque object with ID 0. This will in turn be signed by an intermediate CA which is signed by a Yubico root CA.