Systemd-journal-upload service cant read ssl key file

I am trying to get one of my VM servers (server1) to connect the systemd-journal-upload service to connect to the systemd-journal-remote service on another VM (server2). I already have multiple other VMs connecting with ssl without issue.

When I start the service on server1 i get the error:

Upload to https://server2:19532/upload failed: error reading X.509 key or certificate file

I checked the working servers and noticed that the systemd-journal-upload user has been added to the ssl-cert group. I added the systemd-journal-upload user on server1 to the ssl-cert group and restarted the service. It then started working.

To me this doesn’t seem to be the best way to handle the keyfile. Shouldn’t the service load the file as root before switching to the systemd-journal-upload user? Is there a better way to set up the service without jeopardizing the private key?