Write the object that tells OpenSC that we have 20 retired key slots to the YubiKey. Apparently this makes the OSX Keychain utility crap itself when it sees this, so watch out!
echo -n C10114C20100FE00 | yubico-piv-tool -a write-object --id 0x5FC10C -i -
Generate a new private key, and require a touch on the device to use it.
yubico-piv-tool -a generate -s 8e --touch-policy=always -o public.pem
OpenSC needs there to be a certificate in the slot to go with the private key, even though nobody is ever going to use it...