CreateAttestationStatement Method

CreateAttestationStatement(byte)

Create an attestation statement for the private key in the given slot.

Note

In version 1.0.0 of the SDK, it was not possible to get an attestation statement for keys in slots 82 - 95 (retired key slots). However, beginning with SDK 1.0.1, it is possible to get attestation statements for keys in those slots.

C#
public X509Certificate2 CreateAttestationStatement(byte slotNumber)

Parameters

Type Name Description
byte slotNumber

The slot containing the key to be attested.

Returns

X509Certificate2

The resulting attestation statement (a certificate).

Exceptions

Type Condition
ArgumentException

The slot specified is not valid for creating an attestation statement.
InvalidOperationException

The YubiKey is pre-4.3, or there is no YubiKey-generated key in the slot, or the attestation key and cert were replaced with invalid values, or the YubiKey could not complete the task for some reason such as unreliable connection.

Remarks

See the User's Manual entry on PIV attestation for more information on attestation statements.

Note that attestation is a feature available on YubiKeys version 4.3 and later.

An attestation statement is an X.509 certificate that certifies a private key was generated by a YubiKey.

It is possible to create attestation statements only for keys generated on a YubiKey, and only for keys in the following slots: 

PivSlot.Authentication      = 9A
PivSlot.Signing             = 9C
PivSlot.KeyManagement       = 9D
PivSlot.CardAuthentication  = 9E
PivSlot.Retired1            = 82
  through
PivSlot.Retired20           = 95
If the slotNumber argument is for any other slot, or if there is no key in the slot, or if the key in the slot was imported and not generated by the YubiKey, this method will throw an exception.

Note that it is not possible to get an attestation statement for the key in slot F9. That is the attestation key itself.

The key that will sign the attestation statement is the "attestation key" in slot F9. To verify the attestation statement, chain up to the attestation key's cert (see the method GetAttestationCertificate()), which will chain to a root. The YubiKey is manufactured with an attestation key and cert that chain to the Yubico root cert. The User's Manual entry on PIV attestation has more information on chaining attestation statements.

It is possible to replace the attestation key and cert. In that case, the attestation statement created by this method will chain up to a different root. See ReplaceAttestationKeyAndCertificate(IPrivateKey, X509Certificate2). There are restrictions on the key and certificate. The documentation for the Replace method lists those restrictions.

It is not necessary to authenticate the management key or verify the PIN in order to create an attestation statement.