How to limit `set-key-partition-list` to one certificate

TLDR: How can I find make security set-key-partition-list run against a single entry, rather than everything in the keystore? --- I was facing issues with a cipher mismatch with an dotnet/aspnet app and a self signed cert: Eventually I found [this github issue](https://github.com/dotnet/runtime/issues/27132#issuecomment-553048843) , which led me to

log stream --process

Giving:

securityd: [com.apple.securityd:integrity] failure extending partition
 securityd: [com.apple.securityd:security_exception] MacOS error: 32
 securityd: [com.apple.securityd:clientid] code requirement check failed (-67050), client is not Apple-signed
 securityd: [com.apple.securityd:integrity] ACL partition mismatch: client teamid:UBF8T346G9 ACL ("cdhash:71c6a2e36e9b3aa01232049c467ebbad51311b9")

Searching from there gave me [this SO question(!)](https://stackoverflow.com/q/64017267/16505654) , which suggested

sudo security set-key-partition-list -D localhost -S unsigned:,teamid:UBF8T346G9 $(security login-keychain)

And voila, this worked - I can now use this certificate to run the app locally. But, that command ran against ~2489 entries, rather than the 1 that I expected. **So**, how can I find make security set-key-partition-list run against a single entry, rather than everything in the keystore? It seems that security find-key has completely different args that don't seem to match - I either get no results, or ~2489 results. I've even got to the point of spelunking through [the source code](https://opensource.apple.com/source/Security/Security-59306.61.1/SecurityTool/macOS/keychain_find.c.auto.html) to try and figure this out, but I didn't get very far.