You probably don't want a certificate. I mean, first of all the thing you're protecting in an HSM is a private key, not a certificate, but beyond that...
A certificate means now Youporn, your employer, and your bank all share the same way to identify you. As does Facebook, and five thousand shady advertising companies.
Something like Web Authn / U2F is better here. With this technology sites don't get any meaningful identity, just confirmation that you still have the same token as before. This also means if you find somebody's token you learn nothing from that, you'll have no idea where to return it and may as well just start using it yourself.
A certificate means now Youporn, your employer, and your bank all share the same way to identify you. As does Facebook, and five thousand shady advertising companies.
Something like Web Authn / U2F is better here. With this technology sites don't get any meaningful identity, just confirmation that you still have the same token as before. This also means if you find somebody's token you learn nothing from that, you'll have no idea where to return it and may as well just start using it yourself.