Certify using Yubikey
I just started using a Yubikey 5. I've set up GPG according to this excellent guide, and now I have 3 working ECC key pairs on my Yubikey: Sign/S :: ed25519, Encrypt/E :: cv25519, Authentication/A :: ed25519.
Now I want to use my Yubikey to certify other keys. The private GPG primary key, the only one with Certify/C is not available on the Yubikey. The other choice is the PIV (smartcard) module, this has 4 keypair slots but no Certify key neither (or are C keys only a designation in GPG?). So:
- Should I use a signing key (from either GPG or PIV) for certification?
- Or, is certification through a hardware key not adviced at all (for some practical security reasons)?
Background: I had the idea of using the PIV module for SSH (which has to be slot 9a: PIV Authentication). Each of the 4 slots needs a X.509 certificate (i.e. a certified keypair). Therefore I need to certify each of the four X.509 certificates, and I wanted Yubikey to do that certification (signing). By using certified SSH keys, I could configure my server to do certificate authentification. It turns out that Yubico's FIDO2 is an easier way to use Yubico for SSH.
Edit: Turns out that Yubico suggests using self signed X.509 certificates for PIV: https://developers.yubico.com/PIV/Guides/SSH_user_certificates.html, that is, they use their generated certificates as the certifier for itself. Does this mean that I could also certify the PIV's 4 certificates (or SSH keys in general) using the Sign/S keypair of my Yubico's GPG module? Which signer would you suggest then?
