I plan to use the TPM to generate CSR's backed by a private key stored on the TPM. The CSR's will then be signed by an external HSM.
Since a certificate is tied to a particular private key, how do you support multiple users on the same laptop on the assumption that each user has a different certificate?
For example, can you have multiple private keys stored on the TPM? Each for a different user?