The RBAC system can help protect your certificates by making them non-readable to anything but the processes which need to access them. PaX provides an additional layer of security which meshes well with the RBAC system. The situation can be described as:
You have a system where only apache can access your certificate files. Not only can these certificates be opened by apache, but the contents of the certificates may exist in the memory context of the apache process. A sophisticated attacker who compromises the apache process under a straight MAC/RBAC security system would still be able to exfiltrate those certificates with some amount of shellcode (either by copying the certificates from memory or opening the certificate files and reading them in). PaX removes the attacker's ability to execute arbitrary code, making attacks of this kind of sophistication much more difficult.