The problem is in how it looks for certificates (the alias must match the subject). In production we can have 2 valid client certificates with identical "CU...C" sequence just because the first one is going to expire soon (but is still valid), and the client have sent us a new one which is supposed to replace the old one gracefully. The only way to do this with current JBoss implementation is to delete the old certificate and import the new one, but this requires synchronization with client side which is impossible in real life (not mentioning we use a load balanced cluster which we usually restart sequentially, not concurrently, to achieve 100% availability). Therefore we need a grace period when the server should accept and authenticate both certificates. The easy way would be to rewrite implementation to search for proper certificate in all aliases which might be slower a bit, but much more easy to handle