Question regarding digital certificates and keeping the private key safe

Learn about Computer Security General Security Questions and Comments
1

Hi!

Sorry if this question is stupid, just started reading up on PKI and Digital Certificates, also if this post would be better suited somewhere else then please move it. Under the “Digital Certificates” subforum I could not find anything about the “Personal Certificate” that Comodo offers so I’ll just ask here and hope for the best (or that it gets moved).

I am using a Yubikey Neo and the program for configuration it - Yubikey PIV Management Tool (see links below) and have successfully imported Comodo’s Free Email Cert and deleted the local copy of it (which I downloaded to my computer in order to get it onto my Yubikey) so it now solely exists on my Yubikey (and could I’m guessing be reconstructed with forensic programs). Reason being if someone were to attack my local machine they couldn’t get to my cert and private key.

Now the email cert is “only” good for signing and encrypting emails, lets say I want to have a digital certificate that could for instance be used by a local CA for login and also for signing/encrypting email AND have it verified by a trusted root CA so the trust does not only reside in my organisation or where I have my CA but create the certificate locally on the Yubikey would that be possible?
This way the private key is generated on and never leaves the Yubikey while I’m guessing the certificate I upload is the public key only?

Another way I guess would be to purchase and download (i.e. create) a personal certificate from Comodo on a LiveCD that after being powered of for a while looses the cache of the certificate download (since the Live-CD is cached to the computers RAM and the certificate / private key is generated locally)?

Both options raises the question how the organisations CA (local CA) will trust the certificates since they need to be sent to the local CA and signed by it as well so it works within the organisation.

Sorry if I missed something completely obvious here, feel free to try and point me in the right direction.

For all you guys who are worrying, no I’m not the head of IT-Security or even employed by a company, I’m trying to figure out good practices and safe management with regards to PKI.
I am a student of IT-Security though but we haven’t touched upon PKI more the briefly yet.

Thanks in advance for the help!

Link Yubikey Neo:
https://www.yubico.com/products/yubikey-hardware/yubikey-neo/

Link Yubikey PIV Management Tool:
https://www.yubico.com/wp-content/uploads/2015/04/Yubico-PIV-Management-Tools_v1.0.pdf