You can probably combine the yubikey with a TPM:

Keep a CA (constrained to your one identity) with a longish (90 day?) TTL on the TPM. Use it to sign a short lived (16h?) keys from your TPM, use that as your working key.

▲

palata 16 hours ago | parent [-]

But then why not use the Yubikey directly?

	▲	lokar 15 hours ago \| parent [-]
		If you just need to authenticate a couple times, you would. For example, if you are just using the cert to get a couple oath tokens. But, if you are making a lot of x509 authenticated calls directly, then the speed and not needing to touch the key are important. Or if you need to ssh to 10,000 hosts quickly, things like that.