Signing/certifying keys as a YubiKey user

Question

After using a yubikey on a day-to-day basis for almost a year, I decided that it was about time to learn how to certify my friends' keys.

I was surprised to learn that one can only sign keys using their master key since it would mean that I would have to import said private key onto my computer every time I want to sign a key, which seems to be a large security risk in comparison to using a yubikey's subkey smartcard features.

What is the best way to securely sign keys when your master key is typically in (air-gapped) cold storage?

Is it possible to certify keys with a subkey?
I don't know how, but I believe I did this last month (I have the signed key on my desktop, generated last month but I haven't touched my master key in over a year), although the SE question linked above is making me question myself.

Just to review, here's an overview of my setup, which I assume is pretty standard:

• master (private) key in cold storage (encrypted)
• yubikey allows for easy gpg operations while not permitting direct access to the private (sub)keys

I plan to signs on a roughly monthly basis and while I prefer convenience, for me security is more important.

Here are some ideas I have:

• dedicate a raspberry pi (or something similar) to key signing
• tinker with low-level PGP settings to try to get a subkey with the certify ability
• generate another pgp keyset specifically for certifying keys and sign that key with my existing master keys. I already have two master keys (each for a different yubikey) so a third might be a bit of a hassle
• use the weaker (2048 bit) of my two master keys for certifying keys, keeping it encrypted but on my computer

Answer 1

I think it's first of all important to understand that in GnuPG "subkeys" are just sets of fully independent keys that have capabilities assigned to them: a signing key is artificially limited to be only be able to do signing operations. The certification key is just as much of a subkey as the signing key -- there's really nothing that makes it extra special. We only call it the "master" key by convention, and it is often confusing to people (e.g. in the physical world a "master" key is able to unlock all locks, so many users expect their GnuPG "master" key to be able to decrypt messages encrypted to the "E" subkey). The certification (C) key is just another key that can indicate relationship between your identities and other keys belonging to you. Understanding that lets you better understand why the answer to the following question is "you do it already, with your 'C' subkey":

Is it possible to certify keys with a subkey?

So, can you put your "C" subkey onto the smartcard? Yes, I believe 2.1+ versions of GnuPG make it fairly easy to put your C key into the "S" slot of the smartcard. With some extra tweaking, you can even have your keys on multiple smartcards, though you may run into corner cases with weird behaviour.

Having a dedicated off-the-network system for certifying keys is common practice, though few people go through the trouble of setting it up. All the mechanisms you mention are fine for that purpose, and I'll let you pick the one that suits you best.