Set up a virgin machine to be able to use a key+cert on a yubikey to sign x509 certificate signing requests (csr). This is not intended to be used as a CA per se, but rather to achieve smth like setting up an offline root-ca (the yubikey), which signs a sub-ca that can live e.g. in a EJBCA instance or similar.
- https://docs.digicert.com/en/software-trust-manager/client-tools/signing-tools/third-party-signing-tool-integrations/configure-openssl-for-signing-with-pkcs11.html
- https://developers.yubico.com/yubico-piv-tool/
sudo apt install -y openssl libengine-pkcs11-openssl gnutls-bin xxd cmake libtool libssl-dev pkg-config check libpcsclite-dev gengetopt help2man zlib1g-dev build-essential pcscd