When: loading client certificates from a custom keystore
Reason: multiple certificates for the same domain but different purposes, e.g. one certificate handles email authentication, the other authenticates the user against a web server
Solution: either fix the buggy code that selects the wrong certificate from the keystore or make sure only one certificate per domain is in the keystore.
George's Techblog 