How can we help?
Overview of the YubiKey attestation policies
The following table provides an overview of all available YubiKey attestation policies and their available values. Use this overview as a reference when configuring attestation policies for certificate issuance with YubiKeys.
You can find step-by-step setup instructions at Certificate issuance with YubiKey attestation policies.
| Directive | Available values |
| PIN policy: Determines how often the user enters a PIN. | - OnceA PIN is required once per session to use a private key for signing, decrypting, or performing a key exchange. - AlwaysA PIN is required before every private key transaction. - NeverA PIN is never required. - Match once (YubiKey 5.7+ only) Biometric or PIN verification is required once per session. - Match always (YubiKey 5.7+ only) Biometric or PIN verification is required for every access to the object. |
Touch Policy: Determines when a touch is necessary for key operations. | - NeverNo contact is required. - AlwaysTouch is required for each use. - Cached (YubiKey 4.3+ only)No touch required if the YubiKey has already been touched within the last 15 seconds. |
| Minimum firmware version: Sets the lowest permissible firmware version for the YubiKey. | Enter a supported firmware version. |
| Maximum firmware version: Sets the highest permissible firmware version for the YubiKey. | Enter a supported firmware version. |
| Edition: Limited to a specific YubiKey edition. | - Standard - FIPS - CSPN |
| Form factor: Limits the allowed YubiKey model types. | - USB-A Keychain - USB-A Nano - USB-C Nano - USB-C Keychain - USB-C Lightning - USB-A Biometric Keychain - USB-C Biometric Keychain |
| Key algorithm: Specifies which algorithms are permitted for certificate requests. | - RSA - ECC |