Up until I wrote this blog post, the tutorials and documentation I have come across regarding the use of Yubikey PIV certificates with Windows all involved having a complete set of private and public keys (generated outside of Yubikey) to be installed on Windows and imported into Yubikey for use. However, Yubikey also provides a more secure option: generating the private key on the Yubikey itself. The advantage of this method is that the private key never leaves the Yubikey, making it impossible for it to be leaked. But in such a case, we don't have a private key to import into Windows, and Windows is unaware of our corresponding digital certificate, so it won't consider our certificate as an available one for signing.
This article will explain how to generate a private key on the Yubikey and associate it with the certificate on Windows, to enable code signing on Windows. Although the purpose of this article is code signing, the association method described in the article also applies to other scenarios that require the use of private keys generated on the Yubikey.