PIV Attestation Verification Fails with OpenSSL 1.1.0

Applicable Products

If you are attempting to verify a PIV attestation using the default attestation certificate loaded in the YubiKey 4 or YubiKey NEO and OpenSSL 1.1.0, the verification will fail. This is caused by an issue with the PIV Attestation Root Certificate. Starting with the YubiKey 5 series, an updated PIV Attestation Root Certificate is available which works with OpenSSL 1.1.0. To work around this issue with the YubiKey NEO or YubiKey 4 series devices, you can use the attached Python script and the steps below to verify the attestation certificate chain.

  1. Install Python 3.
  2. To install the required Python dependencies, run: pip3 install cryptography
  3. Save the attached script to your computer.
  4. Open Terminal.
  5. Use cd to navigate to your downloads folder, EG: cd ~/Downloads
  6. Run the script: python3 piv-attest.py
  7. When prompted, enter the path to the PIV attestation certificate.
  8. When prompted, enter the path to the PIV intermediate certificate.
  9. When prompted, enter the path to the PIV CA root certificate.

Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.