Instead of loading the certificate into the browser store and all the incompatibilites and annoyances that comes with, I think mtls-cli could be implemented as a PKCS#11 library:
Browsers support using PKCS#11 to load certificates and handle their private key operations.
Last time I looked into this the easiest way to create virtual/custom PKCS#11 devices was libtpm2 (https://github.com/tpm2-software). By using e.g. libtpm2-pkcks11 you could even bind the key to a specific machine, accomplishing a major goal in the zero-trust networking paper.
Instead of loading the certificate into the browser store and all the incompatibilites and annoyances that comes with, I think mtls-cli could be implemented as a PKCS#11 library: Browsers support using PKCS#11 to load certificates and handle their private key operations.
Last time I looked into this the easiest way to create virtual/custom PKCS#11 devices was libtpm2 (https://github.com/tpm2-software). By using e.g. libtpm2-pkcks11 you could even bind the key to a specific machine, accomplishing a major goal in the zero-trust networking paper.