As per org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystorePassword() "keypass" and "keystorePass" are the same. If e.g. with using http://sf.net/projects/portecle, some people are tempted to set a different key on the private key. Then, they get <<Error initializing endpoint java.io.IOException: Cannot recover key at org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.init(JSSE14SocketFactory.java:125) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:88) at org.apache.tomcat.util.net.PoolTcpEndpoint.initEndpoint(PoolTcpEndpoint.java:292) at org.apache.coyote.http11.Http11BaseProtocol.init(Http11BaseProtocol.java:137) at org.apache.catalina.connector.Connector.initialize(Connector.java:1016) ...>> It would be great if there were a cautionary note in the ssl-howto.html see also http://www.ponton-consulting.de/en/faq/faq_advanced.html I guess the test at the bottom of http://marc.theaimsgroup.com/?l=tomcat-user&m=109363993616257&w=2 would succeed despite what is claimed...
Good point, added cautionary note and reference to your comment above to the SSL HowTo. Thanks.
see also Bug 38774
Note that adding one key with a different passphrase will break the whole keystore for TC.