Custom SSL - how to define per domain?

I'm trying to work out how to add a custom SSL for each router, but I can't work out how traefik can determine what cert if for what router?

An example of one of the routes is;

http:
  routers:
    DOMAIN01:
      rule: "(Host(`domain-01.com`) || Host(`www.domain-01.com`))"
      service: ROUTE1
      tls:
        certResolver: http
        passthrough: true
        domains:
          - main: "domain-01.com"
            sans:
              - "*.domain-01.com"

and the certs.yml is

tls:
  certificates:
    - certFile: "/traefik/data/certs/domain-01.com.cert"
      keyfile: "/traefik/data/certs/domain-01.com.key"
      stores:
        - default
  stores:
    default:
      defaultCertificate:
        certFile: "/traefik/data/certs/default.cert"
        keyFile: "/traefik/data/certs/default.key"

from what I can tell, traefik is ignoring the domain-01.com cert and just adding the default one ( maybe )

am I missing something?

http:
  routers:
    DOMAIN01:
      rule: "(Host(`domain-01.com`) || Host(`www.domain-01.com`))"
      service: ROUTE1
      tls: {}

This would be enough. If the the domain matches a certificate that is loaded and valid it will be used, or it will use the defaultCertificate.