We use tomcat-embed and we have a test that is breaking with an upgrade from 8.5.12 to 8.5.20, it seems due to the fact that we do not set the certificateKeyAlias when we configure an SSLHostConfigCertificate.
The documentation for certificateKeyAlias states "If not specified, the first *key* read from the keystore will be used." It seems that the first alias is being used and there is no check that it references a key. The result is that in JSSEUtil.getKeyManagers there is a call to KeyStore.getKey(keyAlias, keyPassArray) where keyAlias is actually an alias for a certificate, which leads to inMemoryKeyStore.setKeyEntry being passed null for the Key argument and eventually a KeyStoreException("Cannot store non-PrivateKeys"). This worked previously with certificatekeyAlias being null. I can confirm that this works just fine if I set that with the alias used when creating the KeyStore but I would rather not pass that alias around our code when I did not previously need to. Thanks! Jesse