Making my own certification for FIDO2

TJDizzi · October 4, 2025, 12:42pm

Wassup folks!

I have implanted my FlexSecure and I am awaiting to implant my Apex Flex in the future (but do have both in my possession at the moment).

FIDO2 works perfectly on the Apex Flex, due to the secure nature of Fidesmo and FIDO2 being configured by VivoKey. I would like, as close as possible, to make my own certification for FIDO2 and try to make it as official as I can, for a single entity.

I’ve started by taking a look at the fantastic GitHub page by DangerousThings called the Fido-attestation-loader:

https://github.com/DangerousThings/fido-attestation-loader/tree/master

And here is where I started having loads of questions. I can see that there is a settings file to configure, and this contains details like:

[metadata]

description=WebbedAuth

iconfile=icon.png

[ca]

C=GB

O=name

CN=name Attestation Root CA

[cert]

C=GB

O=name

CN=name Token Attestation

[fido2]

aaguid=insert-guid-here

devns=1.3.6.1.4.1.0.2

devid=1.3.6.1.4.1.0.1.1

[fidesmo]

title=Generic FIDO

description=Generic FIDO description.

issuerAccountId=0

executableLoadFile=A0000006472F00

searchBy=aid

executableModule=A0000006472F0001

application=A0000006472F0001

waitingMessage=Please wait while the attestation certificate is loaded.

successMessage=Installation successful.

failureMessage=Installation failure.

I stopped at this point because I was very curious about the devns and devid section. This lead me to sign up for a Private Enterprise Number under my org, webbedjoes. This has now been approved and I have my own number.

I would like to know how to approach this moving forward - and if there are any steps at this point that I should be considerate about before generating the private and public certificates required for FIDO2 to work.

Essentially at the end of it I would love to have my own FIDO2 certification approved by the FIDO Alliance so that it’s recognised as a legit authenticator however I do understand that this is a HUGE task and is probably impossible/not viable for a single person to do.

I’ve been trying to collect this info together myself but this is a whole can of worms that I’ve opened and now can’t stop!

My questions are:

Is what I’m doing even realistically possible? Have I understood the process correctly? Should I just stop? (never!!!)
If it isn’t possible, is there a FIDO2 applet with certification that I can use that’s trusted? (Doubt it as that wouldn’t be secure)
Am I overthinking the entire thing? Should I just make the certificate with whatever details and hope for the best?

P.S I am trying hard to ensure I document my whole process, so when/if I can do this the information can be shared

tac0s · October 4, 2025, 4:35pm

Isn’t there a four or five figure fee associated with this?

TJDizzi · October 4, 2025, 4:39pm

Yep. Scrapping that idea anyways (maybe it’ll be easier in the future lol) but at this point I just want to get it as “certified” and “legit” as I reasonably can as an individual but I’m not sure if I’m missing anything at present

tac0s · October 4, 2025, 4:45pm

Ah, ok. Are you aware that we configure and load an attestation cert that is that already?

TJDizzi · October 4, 2025, 4:59pm

when I scanned my FlexSecure there was no FIDO2 installed on it

is it a generic attestation certificate?

tac0s · October 4, 2025, 5:00pm

Weird. Maybe yours got missed? Were there any apps installed?

TJDizzi · October 4, 2025, 5:09pm

yes, off the top of my head I know the OTP app was preinstalled as it worked right away with the Yubico Authenticator app but no FIDO. I can scan it in GlobalPlatformPro shortly to confirm what else is on there but there is no FIDO2 unfortunately

tac0s · October 4, 2025, 5:13pm

It should be:

Free Memory: helps determine the amount of free space on your device using Apex Manager
    AID: A0000008466D656D6F7279
FIDO2: Act as a Passkey with U2F fallback
    AID: A0000006472F0001
OTP Authenticator: Generate codes in vivo
    AID: A00000052721010141504558
NFC Sharing: Massive, 32kb NDEF container
    AID: D276000085

TJDizzi · October 4, 2025, 5:33pm

Here’s what I see using GPP GUI:

Screenshot 2025-10-04 at 18.32.10

I must add also that the FIDO2 applet isn’t in the list of available apps either. Could it be installed but not fully or something?

Appreciate the help so far, thank you

tac0s · October 4, 2025, 6:18pm

Can you scan your flexsecure with apex manager?

TLDR, in the gui app, i filter out some things. FIDO2 is one of them, IIRC, because if you remove it, I don’t have an easy mechanism in place to replace it.

TJDizzi · October 4, 2025, 6:30pm

Makes sense, looking at the attestation script it looks complicated!

Here is what I see when scanning with Apex Manager:

tac0s · October 4, 2025, 6:38pm

Hrm… That doesn’t look promising. I guess last resort is trying the command line tool. Do you have it downloaded?

gp.exe -l

assuming windoows.

TJDizzi · October 4, 2025, 6:43pm

I’ve got the command line tool here’s the results:

APP: A0000008466D656D6F727901 (SELECTABLE)

 Parent:   A000000151000000

 From:     A0000008466D656D6F7279

APP: A0000005272101014150455801 (SELECTABLE)

 Parent:   A000000151000000

 From:     A00000052721010141504558

APP: D2760000850101 (SELECTABLE)

 Parent:   A000000151000000

 From:     D276000085

APP: A000000527200101 (SELECTABLE)

 Parent:   A000000151000000

 From:     A00000052720

PKG: A0000001515350 (LOADED)

 Parent:   A000000151000000

 Version:  255.255

 Applet:   A000000151535041

PKG: A0000008466D656D6F7279 (LOADED)

 Parent:   A000000151000000

 Version:  1.0

 Applet:   A0000008466D656D6F727901

PKG: A00000052721010141504558 (LOADED)

 Parent:   A000000151000000

 Version:  1.2

 Applet:   A0000005272101014150455801

PKG: A0000006472F00 (LOADED)

 Parent:   A000000151000000

 Version:  0.4

 Applet:   A0000006472F0001

PKG: D276000085 (LOADED)

 Parent:   A000000151000000

 Version:  1.0

 Applet:   D2760000850101

PKG: A00000052720 (LOADED)

 Parent:   A000000151000000

 Version:  1.0

 Applet:   A000000527200101

PKG: A0000006472F0001 (LOADED)

 Parent:   A000000151000000

 Version:  1.1

 Applet:   A0000006472F000101

tac0s · October 4, 2025, 6:46pm

Loooks like Fido. I think the suffix might be throwing Apex Manager. Maybe try this? https://webauthn.io/

TJDizzi · October 4, 2025, 6:51pm

no luck! like it doesn’t exist at all. Works with my J3R180 so I know the webpage is working.

tac0s · October 4, 2025, 6:56pm

Grr. Hrm.

Was there a u2f app listed as installable in the gui/did you try and install it?

I’m just curious what happened. Setup the cards and implants the same way.

I’ll dig through my attestation notes in a bit.

TJDizzi · October 4, 2025, 6:58pm

I don’t believe I have tried to install it before. It is listed as available though via the GPP GUI tool

tac0s · October 4, 2025, 7:00pm

Tldr, they have the same aid so that could have nuked the app. I thought i had put a bandaid on that.

TJDizzi · October 4, 2025, 7:05pm

Ouch!

I appreciate it! Hopefully not too hard to fix (fingers crossed)

tac0s · October 4, 2025, 7:07pm

Oh, we’ll just get you through installing the app properly and the attestion generation and loading. Nothing to recover.