Instead of using a CA, why not set the key's PIN policy to "once" and use an agent (e.g. https://github.com/FiloSottile/yubikey-agent/) that holds an active session to the yubikey? You start the agent at the beginning of the day, enter the PIN once, and then stop the agent at the end of the day.
replyWanted to avoid having the key in USB slot all the time. I have the version that sticks out and i carry it on my key chain. So it's easy to break in a laptop.
reply