Certificate issuance with YubiKey attestation policies

Attestation policies define security requirements that a YubiKey must meet before a certificate is issued. This ensures that only trusted and compliant YubiKeys are used for certificate-based authentication.

The guidelines are based on YubiKey attestation. This verifies that the key was generated directly on the YubiKey and meets certain device requirements.

Once you have added the enrollment step  Certificate-based authentication to the YubiKey configuration, you can enforce attestation policies. This enrollment step allows users to request a PKI certificate from Active Directory Certificate Services (AD CS) and store it on the YubiKey. The certificate is then used for secure authentication. For more information, see [link to relevant documentation]. Connecting YubiKey Card Authentication (CCID) to MS AD Certificate Services (AD CS).

How to enforce attestation policies

– In the Appterix Management UI, navigate to Settings > YubiKey Management.

– Scroll down to the Attestation policies.

– Click Add new policy to add the necessary policies for issuing certificates.

– Select the required policy from the list. You can add one or more key attestation policies:

PIN policy

Touch Policy

Minimum firmware version

Maximum firmware version

Edition

Form factor

Key algorithm

– Configure the values ​​based on the selected policy.

– Click Save.





When a user initiates certificate-based authentication enrollment on their YubiKey, the system automatically checks all configured attestation policies. If the YubiKey does not meet any of the defined policies, certificate issuance is rejected and enrollment fails.