If I may give an additional answer - a very common setup for Apache+JBoss is to use Apache as some kind of loadbalancer/reverse proxy infront of the JBoss. The SSL communication is completly done by Apache. And a prefered way is, to use AJP between Apache and JBoss instead of HTTP because it sets all necessary informations in the Servlet request instead of using X-forwarded-... information as additional headers that need to be read explicitly.
In this case (either with mod_jk or mod_cluster) you can also manage multiple instances of JBoss behind the Apache very easy. Of course - the communication between Apache and JBoss is not encrypted (as I know AJP doesn't support SSL).
If you want to have encrypted communication and the Apache is still making all the external SSL communication, then the internal communication between Apache and JBoss needs only be covered by one certificate and Apache needs to trust that certificate.
And one more - you can put more then one certificate/privatekey into a keystore just by importing them into the already existing keystore. With keystore -list you can review the content of the keystore. What I never tested yet, is, if the JBoss will use SNI to identify the correct certificate/key to the incoming request. But the newer JBoss and Java supports SNI by default.