Hi,
We do have a limitation/requirement on one Keyring per RP service. If you want to have set a different keyring for a specific site, we will have to split it at the listener level.i.e. adding a new listener IP:Port At present SNI based certificate delivery is not an option so we will have to deal this by having different listeners.
Note: If using a different Keyring is not a must and you want all in same listener, we can think of below options too
1) If all RP services belong to same domain, we can have a wildcard cert keyring
or
2) If domains are different, DNS alt-name based certificate will helpful