encryption – Can I generate and store keys on my Yubico?

The keys used in U2F are generated by the device it self, you can’t do it yourself. Yubico’s Developer webpage explain it very clearly. For short, take a look the graph below.U2F Private Key Generation Description

Device Secret is generated in manufacture phrase. As far as I know, this secret can’t changed by a software tweak. AppID is equal to web service URL. At the time of generation, an integrated RNG will generate a Nonce, feed in to a HMAC-SHA256 with AppID, keyed with the device secret, the output is the private key. Then feed the private key and the AppID into the HMAC function again, concatenate the output and the nonce, which becomes the key handle. Public key is generate by the private key, and sent it with the key handle to the web service.

This is the part about code signing and the key to do. Yes, you can generate a private key on your own machine and upload it to the Yubikey. Take a look Yubico’s PIV explanation. Especially articles under Introduction/Certificate slots, Tools/YubiKey PIV Manager(if you use Windows) and Guides.

Yubico is a bit lack of explaining this part, so I found a great GitHub repo contributed by drduh where it contain a full explanation how to use OpenPGP with Yubikey.