SSL configuration without Let's Encrypt

Bear with me as I am trying to configure a slightly unusual setup. I am not routing to Docker containers or a k8s cluster. This configuration is defined 'statically' via files and loadbalancers to instances.

I have a wildcard self-signed certificate (eg * that I make use of via the file provider sitting within the default TLS store. I can reference this certificate implicitly from my configuration and it is correctly applied to all my router/Host definitions.

      certFile = "./example.crt"
      certKey = "./example.key"

With this in place I have no other TLS configuration around my routers/middleware/services

Now I have a requirement that one of my routers (ie with a rule specific to one host, eg needs to use a wildcard certificate for the same domain, but signed by an external CA, so a different cert/key pair but issued to * and signed externally and paid for.

I've gone through the TLS documentation and I can't figure out if it is possible to configure for this situation or if so how to do it. I had thought that setting up two TLS stores and making the specific router reference the TLS cert from that store would work, but it seems that actually there is only a single global store? From the docs:

"Any store definition other than the default one (named default ) will be ignored, and there is therefore only one globally available TLS store."

Can anyone suggest an approach that might work to cover this situation.