The YubiHSM2 comes equipped with a built-in attestation key and certificate embedded in its firmware, allowing users to verify the authenticity of the device. This security feature ensures that the hardware is a genuine YubiHSM2 manufactured by Yubico, preventing the use of counterfeit or tampered devices.
To perform this verification, users can export the built-in attestation certificate located in slot 0. This certificate, pre-installed by Yubico, serves as cryptographic proof that the device is legitimate. By validating the attestation signature against Yubico’s root certificate, organizations can establish trust in their security infrastructure and mitigate risks associated with unauthorized hardware.
To export the built-in attestation certificate use the command get opaque
yubihsm>set outformat PEM
yubihsm>get opaque 0 0 YubiHSM_attestation_certificate.pem
Yubico’s root certificate and intermediate CA certificate can be download from our site using the links in the section pre-loaded certificates in YubiHSM documentation
You can then validate the attestation certificate from the YubiHSM against Yubico’s root and intermediate certificate. using for example openssl.
To verify the attestation certificate using openssl first create a ca certificate chain using the root and the intermediate certificate.
This can be don by concatenate the root and intermediate certifications into a single PEM file.
$ cat yubihsm2-attest-ca-crt.pem E45DA5F361B091B30D8F2C6FA040DB6FEF57918E.pem > YubiHSM_attestation_certificate_chain.pem
With the certificate chain it's possible to verify the exported attestation certificate using the openssl command openssl verify
$ openssl verify -verbose -CAfile YubiHSM_attestation_certificate_chain.pem YubiHSM_attestation_certificate.pem