That is a good question, I believe it takes the very first certificate in the keystore chain. Could you log JIRA? If you got insights into how accomplish this, I would like to know, otherwise I would need to do some investigation on this.
A jira issue (https://issues.jboss.org/browse/TEIID-2294) has been opened. I think when looking for the certificate from keystore, we should allow to pass the alias name to lookup the correct certificate.
Looking the jboss AS 7 web https setup, is this key-alias used for looking up the certificate?
<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
<ssl name="test" key-alias="mycert" password="changeme" certificate-key-file="/opt/test.keystore" protocol="TLSv1" verify-client="false"/>
The fix will be Teiid 8.2 CR2 for this.