Add support for YubiKey PIV to step for offline signing (ie. SSH certs)

[mshamash]

What would you like to be added

As per the title, I think it'd be nice to have YubiKey support in step like there is in step-ca, so that keys can be loaded from PIV slots for signing requests. I've been following the DIY SSO for SSH guide smallstep posted on their blog, and I would like to have my secondary/offline "backup" CA (in case my main SSH cert CA is offline/unreachable) use some keys I store on my YubiKey's PIV slots for signing.

I realize this feature in step-ca is in beta, but I'm hoping that it could be added to step for use cases such as these.

After initializing my offline CA on my local machine with step init --ssh --no-db, and after editing the ca.json file to include my YubiKey's PIV slots for the corresponding SSH keys, I'd ideally be able to run step ssh certificate --offline --principal=michael [email protected] my_key to generate an SSH key offline and add it to my SSH agent.

Why this is needed

It is useful to store the CA's private keys for signing on the YubiKey's PIV slots for extra security.

[maraino]

Hi @mshamash This is currently in our roadmap, we need to replace all or most of the sign methods that the cli does with the kms interface implemented in step-ca. We want to start with step ca init, step certificate create and step certificate sign. I cannot promise anything but I think this is going to be a priority soon.