If you are attempting to verify a PIV attestation using the default attestation certificate loaded in the YubiKey 4 or YubiKey NEO and OpenSSL 1.1.0, the verification will fail. This is caused by an issue with the PIV Attestation Root Certificate. Starting with the YubiKey 5 series, an updated PIV Attestation Root Certificate is available which works with OpenSSL 1.1.0. To work around this issue with the YubiKey NEO or YubiKey 4 series devices, you can use the attached Python script and the steps below to verify the attestation certificate chain.
- Install Python 3.
- To install the required Python dependencies, run: pip3 install cryptography
- Save the attached script to your computer.
- Open Terminal.
- Use cd to navigate to your downloads folder, EG: cd ~/Downloads
- Run the script: python3 piv-attest.py
- When prompted, enter the path to the PIV attestation certificate.
- When prompted, enter the path to the PIV intermediate certificate.
- When prompted, enter the path to the PIV CA root certificate.