Is your feature request related to a problem? Please describe.
The HttpService use a KeystoreService both to create the HTTPS endpoint and accept and authenticate when a certificate is forced for the user. However, the default format (PKCS12) can hardly differentiate a trusted certificate or a private key if both of them are signed by the same CA (which is my only alternative since I've only access to one CA) so the removal or update of one of them may affect the other.

Describe the solution you'd like
The common solution to manage this is to separate the truststore and the keystore. Such feature is already implemented through the SslManagerService. Such service also includes advanced features regarding SSL connection which can be useful to configure the HttpService or even reduce the configuration in the service itself keeping them in SslManagerService such as revocation mode. I think it would be better to link the HttpService to a SslManagerService instead of a KeystoreService to allow this.

Describe alternatives you've considered
For the issue described in this request, the best solution is to migrate to a JKS kesytore, which depends on a licensed format but manages more clearly such collision. However, the solution described would have some additional advantages over this workaround.

Additional context
This was initially discussed here