Scenario:
1) Accept Temporarily CERT1 CN=CA,
2) Disable SSL
3) Enable SSL with new certificate CERT2, same DN CN=CA
4) Prompt user to accept CERT2, Internal certificates set iterator returns items in this order (important): CERT2,CERT1
5) Internally create a delegate that will do the actual certificate check and add to it all certificates: theTrustStore.setCertificateEntry(current.getSubjectX500Principal().getName(), current);
6) So CERT1 and CERT2 are sharing the same name, CERT1 overrides CERT2, CERT2 (the certificate to add) will never be added
7) Infinite loop.

The problem comes from the fact that DN is used as the alias. In the case of temporarily added certificate, a unique alias should be created.

For certificate added permanently to the trust-store, the DN is also used as the alias. In this case, the last accepted certificate is the one stored, there is no mismatch.