CSRInspector is a Windows GUI application designed to validate YubiKey PIV attestation. It allows PKI administrators to verify (attest) the authenticity of a YubiKey by checking its certificate chain and public key associations. The application requires three input files:
- A Certificate Signing Request (CSR)
- An Attestation Certificate (from the YubiKey)
- The Yubico Intermediate CA Certificate (from the YubiKey F9 slot).
Based on these inputs, CSRInspector performs certificate chain validation to ensure the attestation certificate is correctly issued and trusted. It also verifies that the public key in the attestation certificate matches the one in the CSR. If all checks pass, the app confirms successful attestation and displays detailed metadata about the YubiKey, including its firmware version, form factor, and security policies.
🙇🏻♂️ A big 'thank you' to Oscar Virot (@virot) for showing what's possible!
This application is made available on an "as-is" basis, without any warranties or representations, whether express, implied, or statutory, including but not limited to implied warranties of merchantability, fitness for a particular purpose, or non-infringement.
To install CSRInspector:
- Download the MSI here
- Double-click the MSI package to begin installation
- Follow on-screen instructions to complete installation.
To use CSRInspector:
- Double-click the
CSRInspectordesktop shortcut to run the app - Select the requisite input files (CSR, attestation certificate and intermediate certificate)1
- Click the Perform attestation checks button
- If attestation is successful, click Details to review attested YubiKey details
- Issue or reject the CSR (out of scope).
1 Yubico CA certficate is embedded within the application and is not a required input.