GetAttestationCertificate Method
GetAttestationCertificate()
Get the attestation certificate.
public X509Certificate2 GetAttestationCertificate()Returns
The attestation cert.
Exceptions
| Type | Condition |
|---|---|
| System.InvalidOperationException | The YubiKey is pre-4.3, or there is no attestation certificate, or it could not complete the task for some reason such as unreliable connection. |
| TlvException | If the attestation certificate was replaced by data that is not a certificate. |
Remarks
Note that attestation is a feature available on YubiKeys version 4.3 and later.
The private key in slot F9 (PivSlot.Attestation) is the key used
to sign the attestation statement (see
CreateAttestationStatement(Byte)). To verify the
attestation statement, one needs the certificate of the key that signed
it. The certificate returned by this method is that certificate.
Root Cert
|
[CA Cert] (there may or may not be a CA cert between
| the root and Attestation Cert)
|
Attestation Cert (returned by this method)
|
Attestation Statement (returned by CreateAttestationStatement)The YubiKey is manufactured with an attestation key and cert that chain to the Yubico root cert. The User's Manual entry on PIV attestation has more information on chaining attestation statements and certs.
It is possible to replace the attestation key and cert. In that case, the attestation statement created by this method will chain up to a different root. See ReplaceAttestationKeyAndCertificate(PivPrivateKey, X509Certificate2)).