I have a JKS with 2 keys generated using the keytool. The 2 keys have different passwords and the JKS password is again different from these 2 passwords.
If there is only one key in the key store, it works as expected. But adding another with a different password results in an UnrecoverableKeyException. If the two keys have the same password, it still works fine.
Looking at some of the questions related to this: Java keystore with multiple keys and different passwords, Caused by: java.security.UnrecoverableKeyException: Cannot recover key it seems the solution is to use the same password. But that means there's no point in being able to set different passwords to different keys; we can just set a password to the whole key store and leave it at that.
Looking at Tomcat, it also seems to follow this approach of using the same password for both the store and the key.
Is this a restriction imposed by the JDK? Isn't there a way to make having different passwords for different keys work?
It is not a restriction by the JDK, and the JSSE Reference Guide answers your question :
For many factories, such as the default SunX509 KeyManagerFactory from the SunJSSE provider, the KeyStore and password are the only information required to initialize the KeyManagerFactory and thus the first init method is the appropriate one to call. The KeyManagerFactory will query the KeyStore for information about which private key and matching public key certificates should be used for authenticating to a remote socket peer. The password parameter specifies the password that will be used with the methods for accessing keys from the KeyStore. All keys in the KeyStore must be protected by the same password.
Sometimes initialization parameters other than a KeyStore and password are needed by a provider. Users of that provider are expected to pass an implementation of the appropriate ManagerFactoryParameters as defined by the provider. The provider can then call the specified methods in the ManagerFactoryParameters implementation to obtain the needed information.
You now know what to do, implement your own ManagerFactoryParameters. But if you have to also change the Tomcat's code, it's another thing.