Tomcat 8.5 multiple domains using multiple certificate stores

Question

We had a working setup using multiple domains sharing a certificate. But now the setup is changed to use different certificates for the the different domains.

<server>

<!-- other non-changed stuff -->

<Service name="Catalina">

<Connector port="80" protocol="HTTP/1.1"
           connectionTimeout="20000"
           redirectPort="443" />

<Connector
    port="443" 
    clientAuth="false"
    protocol="org.apache.coyote.http11.Http11NioProtocol"
    maxThreads="200"
    enableLookups="false"
    SSLEnabled="true" 
    scheme="https" 
    secure="true" 
    defaultSSLHostConfigName="stuff.company.com">

    <SSLHostConfig hostName="stuff.company.com">
        <Certificate 
            certificateKeyAlias="stuff"
            certificateKeystoreType="JKS"
            certificateKeystoreFile="/conf/certs/stuff.company.com.jks" 
            certificateKeystorePassword="[redacted]" 
            certificateKeyPassword="[redacted]"
            type="RSA"
        />
    </SSLHostConfig>
    <SSLHostConfig hostName="things.company2.com">
        <Certificate 
            certificateKeystoreFile="conf/certs/things.company2.com.jks" 
            certificateKeystorePassword="[redacted]" 
            certificateKeyPassword="[redacted]"
            type="RSA"
        />
    </SSLHostConfig>
</Connector>

<Engine>

<Host name="stuff.company.com" appBase="webapps/stuff-company-com">
    <Context path="" cookies="false" docBase=""/>
    <alias>stuff.company.com</alias>

    <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
       prefix="stuff.company.com_access_log." suffix=".txt"
       pattern="%h %l %u %t &quot;%r&quot; %s %b" />
  </Host>

  <Host name="things.company2.com" appBase="webapps/things-company2-com">
    <Context path="" cookies="false" docBase=""/>
    <alias>things.company2.com</alias>
    <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
       prefix="things.company2.com_access_log." suffix=".txt"
       pattern="%h %l %u %t &quot;%r&quot; %s %b" />
  </Host>


</Engine>
</Service>
</Server>

Notes:

1. Does not seems matter if there is a / or not before conf in certificateKeystoreFile.
2. Between the config of the Connector with the information and the Host parts there are things like Realm and Engine. These are not changed since the the previous working setup.
3. No changes was made in the section between now and the previously working setup.
4. If we relax the rules. The hosts are reachable over http. But not reachable at all over https
5. Version of Tomcat is 8.5.53 (latest available at the time of writing)
6. Windows Server 2012 is the OS

Answer 1

We changed clientAuth (deprecated) to certificateVerification (current way of doing things) which prevents all problems that can emerge from "If this SSLHostConfig element is not explicitly defined, it will be created", that has been discussed elsewhere on Stack Overflow.

Lessons learned are probably to first make sure everything is ported to the new way of doing things. In this case the new way of setting up a Connector. And after that proceed with whatever feature should be implemented.