the certificate management functions need to be changed before the release.
It is not possible to configure certificate/privatekey for a specific endpoint.

I know that you have proposed a workaround for creating subtypes for the certificate types like RSA2048extern, RSA2048intern, but this is really a bad hack. Endpoint selection is no type information.

Assuming you have 5 endpoints and 3 certificate types this would require 15 new subtypes. This just makes no sense and we should avoid such hacks already in the 1st version of the spec. It's not too late.

My recommendation:

• Allow to configure n certificate stores. A store consists of
  • own certificate
  • own private key
  • trust list
  • issuer list
• Allow to configure n endpoints
• Each endpoint can get assigned a specific store

this way (if certificate types allow it) you can create multiple endpoints which use the same store OR you can create a different stores for each endpoint (let the reason be a different identity or a different trustlist configuration)