move extensions used to other attestation doc
This commit is contained in:
@@ -1,6 +1,8 @@
|
|||||||
Using Attestation
|
Using Attestation
|
||||||
-----------------
|
-----------------
|
||||||
|
|
||||||
|
This feature is only available in YubiKey 4.3 and newer.
|
||||||
|
|
||||||
Attestation works through a special key slot called “f9” this comes
|
Attestation works through a special key slot called “f9” this comes
|
||||||
pre-loaded from factory with a key and cert signed by Yubico, but can be
|
pre-loaded from factory with a key and cert signed by Yubico, but can be
|
||||||
overwritten.
|
overwritten.
|
||||||
@@ -11,10 +13,4 @@ special key, this can be realised by using the yubico-piv-tool action attest:
|
|||||||
...
|
...
|
||||||
$ yubico-piv-tool --action=attest --slot=9a
|
$ yubico-piv-tool --action=attest --slot=9a
|
||||||
|
|
||||||
The output of this is a PEM encoded certificate, signed by the key in slot f9. There are a couple of special extensions on this certificate:
|
The output of this is a PEM encoded certificate, signed by the key in slot f9.
|
||||||
|
|
||||||
* +1.3.6.1.4.1.41482.3.3+: Firmware version, encoded as 3 bytes, like: 040300 for 4.3.0
|
|
||||||
* +1.3.6.1.4.1.41482.3.7+: Serial number, encoded as an integer.
|
|
||||||
* +1.3.6.1.4.1.41482.3.8+: Two bytes, the first encoding pin policy and the second touch policy
|
|
||||||
** Pin policy: 01 - never, 02 - once per session, 03 - always
|
|
||||||
** Touch policy: 01 - never, 02 - always, 03 - cached for 15s
|
|
||||||
|
|||||||
Reference in New Issue
Block a user