I was thinking of starting an embedded server that will process incoming SSL confirmations, and then redirect traffic to the local Tomcat port (without SSL). In case of changes to the keystore, just restart the built-in server (this should be done quickly). Have you tried this?