There are cases when existing CryptoService is used for signing data only, i.e. there is no use case for calling generateKeyPair(). One example of it is Bridge/Float during normal operation post initial registration - it signs plenty of data but never generates any new key pairs.
It is therefore proposed to create a parent interface SignOnlyCryptoService which will have all the methods except generateKeyPair() and use SignOnlyCryptoService whenever possible instead of more powerful CryptoService which will also have an option to generate key pairs. So CryptoService will extend from SignOnlyCryptoService.
Going forward it would be even possible to create implementations of SignOnlyCryptoService more simply than full CryptoService. E.g. SignOnlyCryptoService will not require x500PrincipalForCerts as it will never self sign anything.