Hello @mattwood2000
I have personally used a secure element (ATECC608) to perform authentication of the device. Basically private key from the SE is used to sign payloads of the mender client. Public key is provided as well and will be displayed on the UI. Context was different (MCU) but use case is the same.
I should also point an interesting tutorial: Securing IoT software deployments with Mender and NXP EdgeLock™ SE050 I have not tried this but looks closed to your topics/questions and may help you particularly if you look at openssl integration.
Joel
EDIT: I see this post is quite old, but at least there is an answer/pointer for other people looking the topic.