HSM/secure element use cases

Hi,

I’m trying to understand the use cases for using a secure element and how that maps to the Certificates and Keys section of the docs.

In the Security section the docs state:

Currently, Mender supports hardware security engines for SSL handshake, mTLS, and authentication request signing

Under Certificates and Keys docs, if I’m understand it correctly there are three components that reside on the server, one on the client, and a separate artifact signing key if used for verification of updates.

The server side:
API Gateway - server.crt/private.key pair self signed or provided by a CA
User Admin - private.key which contains a public key component; used by the server to sign and verify JWTs
Device Auth - private.key which contains a public key component; used by the server to sign and verify JTWs

The client side:
Mender Client - ECC or RSA keypair (default) used to authenticate client with with server during the initial authorization handshake; good use case for HSM storage of private.key

Unless a user is on an enterprise plan and wants mTLS, then there is only that ONE private key that would be stored in the HSM - the Mender Client authentication key (mender-agent.pem)?

SSL Handshake and mTLS are really one in the same, correct?

Or, is there some other private key on the client side that gets automatically generated by Linux/openSSL for the SSL Handshake, even if mTLS is not used?

Thanks, Matt.