According the behavior I've observed today, a JVM loads one and only one SSL certificate store (keystore) at runtime. The JVM under ColdFusion comes with a default keystore having many popular SSL certificate types already imported into it. That default keystore is {cfmx}/runtime/jre/lib/security/cacerts. However, if you programmatically load a different keystore, then you will encounter a race condition where only one of the two certificate stores is loaded. The certificate store that gets loaded first is used by the JVM for all subsequent SSL connections. If the certificate stores have disparate certificates imported into them, then some SSL connections probably won't work and will vary back and forth every time the server restarts.

[More]