I am using Apache Tomcat webapp as a client (java) to an IIS hosted webservice. I need to use SSL with client authentication. What kind of matching criteria is used by the client to send a client certificate to the Server as part of the CertificateRequest which is part of the ServerHello.
I installed the client cert in IE and access the WSDL then it prompts for the client cert and I choose the one that I installed and it works.
I can send the debug ssl dump if needed.
Ultimately, the certificate will be sent using the mechanism in the X509KeyManager used in the SSLContext used by the SSLSocket/SSLEngine used by the client.
The default SSLContext initialises its key manager using the javax.net.ssl.keyStore* system properties. (See this SO answer for the difference between "key store" and "trust store": both use the "keystore" API/storage format.)
The simplest is to configure the JVM running Tomcat, within which your client/webapp is running, with these javax.net.ssl.keyStore* properties. The default SSLContext will pick it up, and it's used by default for HTTPS connections (even 3rd-parties HTTPS libraries would tend to use it).
If you need something more specific for particular requests, you may need to alter the webapp code, so as to use a specific keystore (or at least choose a specific certificate) within a given SSLContext for that request.
How you configure the JVM running Tomcat will depend on the launching script. If under Windows, this question should help, otherwise, I suspect there's a line somewhere in catalina.sh where you could set system properties.
If you do configure the global javax.net.ssl.keyStore* for this, this will affect the entire VM, including the connectors. To prevent your Tomcat connectors using that keystore, make sure that the <Connector /> configuration does specify its own keyStore* attributes (so as not to use the values from the system properties).
If there are multiple certificates (with private key) in your keystore, the choice should be made automatically according to the CA list send by the server within its CertificateRequest message. By default, the key manager will pick up the first certificate it finds in the configured keystore that is issued by a CA in that list (or an intermediate CA). If you need something more specific (in particular if there are multiple valid candidates in your keystore), you'll need to implement your own X509KeyManager, put the logic in chooseClientAlias, initialise an SSLContext with it, and make whatever API making those requests use it.
