I believe you can not. You should rather use different keystore + trustore pair per deployment environment.
the way you should setup a secure environment is as follows:
On the server
- The Keystore contains the server's identities, which means the server's private key together with all required signing CAs (unless these are part of the global JDK CA Roots)
- The Truststore contains all of the public keys of the certificates of the clients that will be connecting
On the client
- The KeyStore contains the client's identity key. This is different for each client.
- The TrustStore contains the necessary CA's (intermediate and root) needed to validate the server's certificate. This is common to all clients
With a large number of clients, managing all the certificates and files is going to be quite tricky, so you should probably opt for storing the certificates inside an LDAP directory and automate the generation of the stores.
I'll ask the WildFly team if the security realm authentication can be configured to check certs against an LDAP server directly.