YubiHSM2 support requires the use of step-kms-plugin as a plugin for the step CLI. Add it to your $PATH or to $(step path --base)/plugins. Documentation can be found here.

It will now be possible to use step to interface directly with the YubiHSM2.

Here, I generate an extractable key on the HSM:

# I have the Mac library path set.
# For Linux, it would be:
# /usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so

$ step kms create --extractable \
    --kms "$PKCS_URI" \

The step CLI can also reference this key, to generate a CSR:

$ step certificate create "Leaf Certificate" leaf.internal leaf.csr \
    --csr \
    --kms "$PKCS_URI" \
    --key pkcs11:id=7331

And from there, you can sign the CSR with your Certificate Manager authority:

$ step ca sign leaf.csr leaf.crt