Once the YubiHSM Key Storage Provider has been installed and configured, the AD CS Certification Authority can be installed.
When the cryptographic provider is configured to "RSA#YubiHSM Key Storage Provider", the private key for the CA will be generated and stored on the connected YubiHSM2 device.
Install the CA with the desired options, either using Server Manager, or PowerShell.
Include the "-CryptoProviderName" parameter and supply "RSA#YubiHSM Key Storage Provider" as the parameter value.
For example:
Install-AdcsCertificationAuthority -CAType EnterpriseRootCa -CryptoProviderName "RSA#YubiHSM Key Storage Provider" -KeyLength 2048 -HashAlgorithmName SHA256 -ValidityPeriod Years -ValidityPeriodUnits 5
On the Cryptography for CA page, under select a cryptographic provider, select "RSA#YubiHSM Key Storage Provider" from the drop down list: