For in-the-field deployments of proxies for our sites, we're using servers with TPM2 modules which contain a signed certificate used for our IKEv2 VPNs and other services.

Currently we have a separate certificate just for the Zabbix proxy/agent on these units as they do not support using the TPM for certificates. It would be useful if we could use the same certificate from the TPM as we do with other services, which allows us to reduce the credential theft vector of having a plaintext certificate on disk.