We also correctly ask for a PIN touch after the key is generated (which
does not need it) but before certificate generation (which does if the
touch policy is not "none").
Closesstr4d/age-plugin-yubikey#101.
Includes logic to help users manage their keys:
- If the key is using a default PIN, we require the user to change it.
- We set the PUK equal to the PIN so the user doesn't need to remember
them separately.
- We migrate the default management key to a new PIN-protected key.