Virtual TPMs (vTPMs) are generally available for virtual machines running under eg. OpenStack/KVM and VMWare/ESXi. The security of these vTPM files is a whole separate topic that we won't discuss in this post. They are stored on the hypervisor's filesystem, and this represents an invitation for a better solution.
Certificate management for virtual machines can be an arduous process that at worst case may result in the credentials needed for certificate renewals being hard coded into images. Therefore, we propose that instead the hypervisor can be used to inject an AK (Attestation Key) and a signed CA certificate into the vTPM. This private key and client certificate (extracted) can then be used with OpenSSL v3.0's support for CMPv2 to automate certificate renewals.
The vTPM is a convenient bridge between the hypervisor and the virtual machine, especially for an evolving environment in which confidential computing will make the virtual machine inaccessible to the host. The vTPM is attached to the virtual machine by the host separately and so within a separate security perimeter that will remain accessible to both the hypervisor and the virtual machine though not simultaneously.
Check out our proof of concept on GitHub with step by step instructions for DevStack, the dev version of OpenStack.