diff --git a/fido2/ctap.c b/fido2/ctap.c
index 497dbb8..8923736 100644
--- a/fido2/ctap.c
+++ b/fido2/ctap.c
@@ -630,11 +630,17 @@ int ctap_calculate_signature(uint8_t * data, int datalen, uint8_t * clientDataHa
 uint8_t ctap_add_attest_statement(CborEncoder * map, uint8_t * sigder, int len)
 {
     int ret;
-
+    uint8_t cert[1024];
+    uint16_t cert_size = device_attestation_cert_der_get_size();
+    if (cert_size > sizeof(cert)){
+        printf2(TAG_ERR,"Certificate is too large for CTAP2 buffer\r\n");
+        return CTAP2_ERR_PROCESSING;
+    }
+    device_attestation_read_cert_der(cert);
+    
     CborEncoder stmtmap;
     CborEncoder x5carr;
 
-
     ret = cbor_encode_int(map,RESP_attStmt);
     check_ret(ret);
     ret = cbor_encoder_create_map(map, &stmtmap, 3);
@@ -657,7 +663,7 @@ uint8_t ctap_add_attest_statement(CborEncoder * map, uint8_t * sigder, int len)
         ret = cbor_encoder_create_array(&stmtmap, &x5carr, 1);
         check_ret(ret);
         {
-            ret = cbor_encode_byte_string(&x5carr, attestation_cert_der, device_attestation_cert_der_get_size());
+            ret = cbor_encode_byte_string(&x5carr, cert, device_attestation_cert_der_get_size());
             check_ret(ret);
             ret = cbor_encoder_close_container(&stmtmap, &x5carr);
             check_ret(ret);
diff --git a/fido2/device.h b/fido2/device.h
index e0919ea..ae9ac6a 100644
--- a/fido2/device.h
+++ b/fido2/device.h
@@ -199,9 +199,12 @@ int device_is_nfc();
 */
 uint8_t * device_get_attestation_key();
 
-/** Pointer to a ASN.1/DER encoded byte array of the attestation certificate.
+/** Read the device's attestation certificate into buffer @dst.
+ * @param dst the destination to write the certificate.
+ * 
+ * The size of the certificate can be retrieved using `device_attestation_cert_der_get_size()`.
 */
-extern const uint8_t * attestation_cert_der;
+void device_attestation_read_cert_der(uint8_t * dst);
 
 /** Returns the size in bytes of attestation_cert_der.
  * @return number of bytes in attestation_cert_der, not including any C string null byte.
diff --git a/fido2/u2f.c b/fido2/u2f.c
index 4a3b1d1..367602b 100644
--- a/fido2/u2f.c
+++ b/fido2/u2f.c
@@ -299,7 +299,7 @@ static int16_t u2f_authenticate(struct u2f_authenticate_request * req, uint8_t c
 static int16_t u2f_register(struct u2f_register_request * req)
 {
     uint8_t i[] = {0x0,U2F_EC_FMT_UNCOMPRESSED};
-
+    uint8_t cert[1024];
     struct u2f_key_handle key_handle;
     uint8_t pubkey[64];
     uint8_t hash[32];
@@ -308,6 +308,11 @@ static int16_t u2f_register(struct u2f_register_request * req)
 
     const uint16_t attest_size = device_attestation_cert_der_get_size();
 
+    if (attest_size > sizeof(cert)){
+        printf2(TAG_ERR,"Certificate is too large for buffer\r\n");
+        return U2F_SW_INSUFFICIENT_MEMORY;
+    }
+
 	if ( ! ctap_user_presence_test(750))
 	{
 		return U2F_SW_CONDITIONS_NOT_SATISFIED;
@@ -341,7 +346,8 @@ static int16_t u2f_register(struct u2f_register_request * req)
     u2f_response_writeback(i,1);
     u2f_response_writeback((uint8_t*)&key_handle,U2F_KEY_HANDLE_SIZE);
 
-    u2f_response_writeback(attestation_cert_der,attest_size);
+    device_attestation_read_cert_der(cert);
+    u2f_response_writeback(cert,attest_size);
 
     dump_signature_der(sig);
 
diff --git a/targets/stm32l432/src/attestation.c b/targets/stm32l432/src/attestation.c
index 90de4d0..0e5ab53 100644
--- a/targets/stm32l432/src/attestation.c
+++ b/targets/stm32l432/src/attestation.c
@@ -5,8 +5,11 @@
 // http://opensource.org/licenses/MIT>, at your option. This file may not be
 // copied, modified, or distributed except according to those terms.
 #include <stdint.h>
+#include <string.h>
 #include "crypto.h"
 #include "memory_layout.h"
+#include "device.h"
+#include "sense.h"
 
 
 const uint8_t attestation_solo_cert_der[] =
@@ -96,7 +99,6 @@ const uint8_t attestation_hacker_cert_der[] =
 const uint16_t attestation_solo_cert_der_size = sizeof(attestation_solo_cert_der)-1;
 const uint16_t attestation_hacker_cert_der_size = sizeof(attestation_hacker_cert_der)-1;
 
-const uint8_t * attestation_cert_der = ((flash_attestation_page *)ATTESTATION_PAGE_ADDR)->attestation_cert;
 
 uint8_t * device_get_attestation_key(){
     flash_attestation_page * page =(flash_attestation_page *)ATTESTATION_PAGE_ADDR;
@@ -107,3 +109,22 @@ uint16_t device_attestation_cert_der_get_size(){
     uint16_t sz = (uint16_t)((flash_attestation_page *)ATTESTATION_PAGE_ADDR)->attestation_cert_size;
     return sz;
 }
+
+void device_attestation_read_cert_der(uint8_t * dst){
+    const uint8_t * der = ((flash_attestation_page *)ATTESTATION_PAGE_ADDR)->attestation_cert;
+    uint16_t sz = device_attestation_cert_der_get_size();
+    memmove(dst, der, sz);
+
+    // Overwrite respective x509 fields if Tap or Somu.
+    if (memcmp(dst + 0x2c6, "\xea\x09\x15\x6c\x86\x48\x57\x2a\xa8\x8d", 10) == 0){
+        if (device_is_nfc()){
+            dst[0x2a3] = 0x89;//tap aaguid byte
+            memmove(dst + 0xac, "\x34\x33\x38\x5a\x18\x0f\x32\x30\x36\x39\x31\x31\x31\x38\x31\x39\x32\x34\x33\x38", 20);//tap-id
+            memmove(dst + 0x2c5, "\x6d\x7b\x41\x2b\xff\x57\xf0\x03\xbd\x5b\x39\x4a\xf7\xa9\x2d\x6d\xcb\x9e\x2d\x88\xbf\xb3\x93\xc5\x66\x3b\xd1\xbc\x34\xfa\x5c\x4c\x02\x20\x59\x01\x49\x39\x1b\xb7\xa9\x1c\xed\x49\x78\x4f\x92\xa9\x61\x14\xa5\x6e\x96\x3f\x29\x02\x93\xe0\x5d\xe2\x75\xd0\x60\xd9\x74\xc2", 66);//tap-sig 
+        } else if (tsc_sensor_exists()) {
+            dst[0x2a3] = 0x98;//somu aaguid byte
+            memmove(dst + 0xac, "\x35\x30\x32\x5a\x18\x0f\x32\x30\x36\x39\x31\x31\x31\x38\x31\x39\x32\x35\x30\x32", 20);//somu-id
+            memmove(dst + 0x2c5, "\x4d\x08\xc8\x9d\xc4\x50\x49\x70\x48\x4d\xd0\x12\xd9\x7c\x62\x5e\x6b\xd3\x84\xd5\x36\x42\xfe\x86\x8e\x7a\x23\x59\xa0\x20\xf0\xc5\x02\x20\x5f\x70\x93\x61\x5a\xe4\x20\xcf\xb9\x8a\xf5\xdd\x87\xd0\x48\x6d\x7d\x59\xef\x9e\x0e\x11\xa3\x8e\xf7\xe3\xe2\xf5\x35\x37\x99\x1a", 66);//somu-sig
+        }
+    }
+}