HSM Attestation Checker
Verify that a key was generated inside a YubiKey or YubiHSM 2 by validating its attestation chain against Yubico's root CAs
Verify a Hardware Key Attestation
Paste the attestation certificate produced for your key. We validate the full chain up to the Yubico root CA and extract the device and key details embedded in the attestation.
About Key Attestation
Key attestation is a cryptographic proof of provenance: the hardware device itself signs a statement certifying that a specific key pair was generated inside its secure element and that the private key has never existed outside the device. Anyone can verify that statement offline — no trust in the key's owner is required, only in the device vendor's root CA.
How the Chain Works
Per-Key Attestation Certificate
When a key is generated on-device, the hardware issues a certificate for that key's public half. Vendor-specific extensions embed details such as serial number, firmware, and key policies.
Device Attestation Certificate
The per-key certificate is signed by an attestation certificate unique to the physical device, which was itself provisioned at the factory. On YubiKeys it lives in PIV slot f9.
Vendor Root CA
The device certificate chains to a published vendor root (Yubico's PIV or YubiHSM 2 attestation root). If the full chain verifies, the key is provably hardware-backed.
Why It Matters
Code Signing Requirements
Since June 2023 the CA/Browser Forum requires that private keys for publicly trusted code signing certificates be generated and stored in certified hardware. Attestation is how a CA confirms this before issuing.
Enterprise Key Governance
Internal CAs and PKI teams verify attestations before issuing certificates to employees or services, guaranteeing that credentials cannot be copied off the token they were issued to.
Non-Exportability
A valid attestation proves the private key was generated on-device — not imported — so it can never be extracted, backed up, or silently duplicated.