In the configuration of the auth client, it should be possible to specify that the alias of the certificate/key/other credentials (to use in a key store or credential store) should be derived from the authentication principal, either exactly (via getName()) or via a Principal transformation of some kind, or alternatively from the target host name (also via optional name rewriting).