Use separate certificates for signing and decryption.

After creating your certificates, if they remain as self-signed certificates, you can enable automatic certificate rotation. See Certificate rotation.