PIV Attestation Verification Fails with OpenSSL 1.1.0


If you are attempting to verify a PIV attestation using the default attestation certificate loaded in the YubiKey 4 and OpenSSL 1.1.0, the verification will fail. This is caused by an issue with the PIV Attestation Root Certificate. Starting with the YubiKey 5 series, an updated PIV Attestation Root Certificate is available which works with OpenSSL 1.1.0. To work around this issue with the YubiKey 4 series devices, you can use the attached Python script and the steps below to verify the attestation certificate chain.

  1. Install Python 3.
  2. To install the required Python dependencies, run: pip3 install cryptography
  3. Save the attached script to your computer.
  4. Open Terminal.
  5. Use cd to navigate to your downloads folder, EG: cd ~/Downloads
  6. Run the script: python3 piv-attest.py
  7. When prompted, enter the path to the PIV attestation certificate.
  8. When prompted, enter the path to the PIV intermediate certificate.
  9. When prompted, enter the path to the PIV CA root certificate.