Since you're talking about certmgr.msc
and using keyStore.load(null, null)
, I presume you're using the WINDOWS-ROOT
or WINDOWS-MY
keystore, from the SunMSCAPI provider.
Unfortunately, there is an issue with this provider because it can re-used the same alias for multiple entries, thereby making it difficult or impossible to access some certificates.
The alias used by this keystore is in fact the "friendly name" of the certificate (in the MS-CAPI terminology). While the friendly name doesn't need to be unique in the Windows certificate store, the alias name needs to be.
Presumably, because you seem talking about two distinct certificates for the same entity but with different purposes, they're likely to use the same friendly name by default.
Once way to work around this problem is to identify your certificates with different friendly names in the Windows store: in certmgr.msc
, select the certificate, right-click, choose "Properties" and change its "Friendly Name".
If you have two distinct certificates (for different key usages or any other reason) that have unique friendly names, they should show up with different alias names in your KeyStore then.