Because I was instructed to ask this issue in my own question I'm doing this here.
To see Original Topic in which I first asked my question (deleted now).
I got stuck with the same Problem and unfortunately the answers of the author aren't helpful.
To introduce my issue a little bit more in detail, I work with a self signed certificate on my Tomcat 8 (v8.0.15) server on the internet with Java 8 (v8.0.25 - JDK). There I host my Java EE Application, which is the backend for my Android Application. The SSL connector of the Tomcat works as it should. When I test the backend with a RESTClient I get the result as expected.
I created the keystore with one certificate:
keytool -genkey -alias tomcat -keystore tomcat.keystore
-storepass MYKEYSTOREPASS -keyalg RSA -keysize 2048 -validity 365
Then I extracted the certificate:
keytool -export -alias tomcat -storepass MYKEYSTOREPASS
-keystore tomcat.keystore -file tomcat.cer
Lastly I created a new Keystore in the BKS format for my Android Application:
keytool -import -alias tomcat -file tomcat.cer -keypass MYKEYSTOREPASS
-keystore tomcat.bks -storetype BKS -storepass MYKEYSTOREPASS
-providerClass org.bouncycastle.jce.provider.BouncyCastleProvider
-providerpath $PATH_TO_BC_LIBRARY/bcprov-jdk16-146.jar
(as mentioned here the "-export" and "-import" parameter are from previous releases but still useable. So you could also know this command parameters as "-exportcert" and "-importcert")
After finishing this steps I tried to connect and everything went fine. But only till I deactivated/left my WLAN connection. Then it did not work any more and brings an "javax.net.ssl.SSLPeerUnverifiedException: No peer certificate".
I really do not understand this behaviour.
To brighten up the android side a little bit more:
I used the classes/library from this tutorial in exact the same way.
If something is missing, just comment and I will bring the infos.
Thanks a lot in advance!
While making my research on Server Fault for similar issues I got a hint what could be wrong also:
https://serverfault.com/questions/560733/why-isnt-tomcat-serving-the-correct-ssl-certificate
I tried it out with the missing parameter "keyAlias", and it worked! The solution was finally - like Ogre_BGR expected before - a not optimal tomcat configuration. The connector looks like this:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="PATH_TO_YOUR_KEYSTORE"
keystorePass="PASSWORD_FOR_YOUR_KEYSTORE"
keyAlias="ALIAS_OF_YOUR_CERTIFICATE"
maxHttpHeaderSize="8192"
/>
Tomcat silently picks only the first key it finds in the keystore, when no keyAlias is configured. Mentioned in the docs here (at the bottom).
I hope that some day somebody will be glad to read this, while having the same Problem.
Thanks again @Ogre_BGR :)