Currently, mTLS configuring reads private key + cert + CAs from a single file.

This conflates the client and server CA(s).

• The local newt cert may be from a different CA that CAs that should be trusted for remote certs
  • We don't necessarily want to trust our own CA for remote certs
  • We may want to trust remote CAs that have no part in issuing the newt cert

Single-file bundle also a very commonly results in misconfiguration: Users will believe they need to include the CA for their own cert, as opposed to remote ones.

I suggest breaking up the configuration:

• Make CA certificate optional in --tls-client-cert file
• Add new configuration --tls-client-ca (can ideally be configured multiple times / a list to facilitate rotation without downtime)

Alternatively, deprecate tls-client-cert and add separate arguments for cert/key/cas.