Create an attestation statement for the private key in the given slot.
public X509Certificate2 CreateAttestationStatement(byte slotNumber)
The slot containing the key to be attested.
The resulting attestation statement (a certificate).
The slot specified is not valid for creating an attestation statement.
The YubiKey is pre-4.3, or there is no YubiKey-generated key in the slot, or the attestation key and cert were replaced with invalid values, or the YubiKey could not complete the task for some reason such as unreliable connection.
See the User's Manual entry on PIV attestation for more information on attestation statements.
Note that attestation is a feature available on YubiKeys version 4.3 and later.
An attestation statement is an X.509 certificate that certifies a private key was generated by a YubiKey.
It is possible to create attestation statements only for keys generated on a YubiKey, and only for keys in the following slots:
PivSlot.Authentication = 9A PivSlot.Signing = 9C PivSlot.KeyManagement = 9D PivSlot.CardAuthentication = 9E
slotNumberargument is for any other slot, or if there is no key in the slot, or if the key in the slot was imported and not generated by the YubiKey, this method will throw an exception.
The key that will sign the attestation statement is the "attestation key" in slot F9. To verify the attestation statement, chain up to the attestation key's cert (see the method GetAttestationCertificate()), which will chain to a root. The YubiKey is manufactured with an attestation key and cert that chain to the Yubico root cert. The User's Manual entry on PIV attestation has more information on chaining attestation statements.
It is possible to replace the attestation key and cert. In that case, the attestation statement created by this method will chain up to a different root. See ReplaceAttestationKeyAndCertificate(PivPrivateKey, X509Certificate2)). There are restrictions on the key and certificate. The documentation for the Replace method lists those restrictions.
It is not necessary to authenticate the management key or verify the PIN in order to create an attestation statement.