Skip to content

Update Yubico attestation CA #2355

New issue
New issue
Closed
#2370
Closed
Update Yubico attestation CA#2355
#2370
Assignees
maraino
Labels
enhancementneeds triageWaiting for discussion / prioritization by team
Milestone
v0.28.5
@hslatman

Description

@hslatman
hslatman
opened on Aug 5, 2025

Hello!

  • Vote on this issue by adding a 👍 reaction
  • If you want to implement this feature, comment to let us know (we'll work with you on design, scheduling, etc.)

Issue details

Yubico is updating its root CA: https://developers.yubico.com/PIV/Introduction/PIV_attestation.html#_yubico_root_ca_update. It looks like there's a new attestation CA root certificate, and multiple intermediate CAs chained off of that, including (at least) one that's meant for PIV attestation.

We currently rely on a single attestation root as our default when verifying the step attestation format. We should include at least the new attestation root in our verification logic. We may also need to include the PIV attestation intermediate(s) in the server side validation, or we should ensure that the CLI includes the right intermediates.

In go-piv, the new root and intermediates are already included: go-piv/piv-go#176.

Why is this needed?

Support step attestation format with YubiKeys with firmware 5.7.4+.

Metadata

Metadata

Assignees

Labels

enhancementneeds triageWaiting for discussion / prioritization by team

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions