diff --git a/rse/plugins/org.eclipse.dstore.core/src/org/eclipse/dstore/internal/core/util/ssl/DStoreKeyManager.java b/rse/plugins/org.eclipse.dstore.core/src/org/eclipse/dstore/internal/core/util/ssl/DStoreKeyManager.java
new file mode 100644
index 00000000000..d96fc5a6f96
--- /dev/null
+++ b/rse/plugins/org.eclipse.dstore.core/src/org/eclipse/dstore/internal/core/util/ssl/DStoreKeyManager.java
@@ -0,0 +1,69 @@
+/********************************************************************************
+ * Copyright (c) 2009 IBM Corporation. All rights reserved.
+ * This program and the accompanying materials are made available under the terms
+ * of the Eclipse Public License v1.0 which accompanies this distribution, and is 
+ * available at http://www.eclipse.org/legal/epl-v10.html
+ * 
+ * Initial Contributors:
+ * The following IBM employees contributed to the Remote System Explorer
+ * component that contains this file: David McKnight.
+ * 
+ * Contributors:
+ * David McKnight  (IBM)  - [264858][dstore] OpenRSE always picks the first trusted certificate
+ ********************************************************************************/
+package org.eclipse.dstore.internal.core.util.ssl;
+
+import java.net.Socket;
+import java.security.Principal;
+import java.security.PrivateKey;
+import java.security.cert.X509Certificate;
+
+import javax.net.ssl.X509KeyManager;
+
+public class DStoreKeyManager implements X509KeyManager {
+	
+	private X509KeyManager _keyManager;
+	private String _defaultAlias;
+	
+	public DStoreKeyManager(X509KeyManager keyManager, String defaultAlias){
+		_keyManager = keyManager;
+		_defaultAlias = defaultAlias;
+	}
+	
+	public String chooseClientAlias(String[] keyType, Principal[] issuers,
+			Socket socket) {
+		if (_defaultAlias != null){
+			return _defaultAlias;
+		}
+		else {
+			return _keyManager.chooseClientAlias(keyType, issuers, socket);
+		}
+	}
+
+	public String chooseServerAlias(String keyType, Principal[] issuers,
+			Socket socket) {
+		if (_defaultAlias != null){
+			return _defaultAlias;
+		}
+		else {
+			return _keyManager.chooseServerAlias(keyType, issuers, socket);
+		}
+	}
+
+	public X509Certificate[] getCertificateChain(String alias) {
+		return _keyManager.getCertificateChain(alias);
+	}
+
+	public String[] getClientAliases(String keyType, Principal[] issuers) {
+		return _keyManager.getClientAliases(keyType, issuers);
+	}
+
+	public PrivateKey getPrivateKey(String alias) {
+		return _keyManager.getPrivateKey(alias);
+	}
+
+	public String[] getServerAliases(String keyType, Principal[] issuers) {
+		return _keyManager.getServerAliases(keyType, issuers);
+	}
+
+}
diff --git a/rse/plugins/org.eclipse.dstore.core/src/org/eclipse/dstore/internal/core/util/ssl/DStoreSSLContext.java b/rse/plugins/org.eclipse.dstore.core/src/org/eclipse/dstore/internal/core/util/ssl/DStoreSSLContext.java
index 60a993e7c9b..b794bc08cdd 100644
--- a/rse/plugins/org.eclipse.dstore.core/src/org/eclipse/dstore/internal/core/util/ssl/DStoreSSLContext.java
+++ b/rse/plugins/org.eclipse.dstore.core/src/org/eclipse/dstore/internal/core/util/ssl/DStoreSSLContext.java
@@ -1,5 +1,5 @@
 /*******************************************************************************
- * Copyright (c) 2006, 2008 IBM Corporation and others.
+ * Copyright (c) 2006, 2009 IBM Corporation and others.
  * All rights reserved. This program and the accompanying materials
  * are made available under the terms of the Eclipse Public License v1.0
  * which accompanies this distribution, and is available at
@@ -15,6 +15,7 @@
  * David McKnight   (IBM) - [225507][api][breaking] RSE dstore API leaks non-API types
  * Noriaki Takatsu  (IBM) - [259905][api] Provide a facility to use its own keystore
  * David McKnight  (IBM) - [259905][api] provide public API for getting/setting key managers for SSLContext
+ * David McKnight  (IBM)  - [264858][dstore] OpenRSE always picks the first trusted certificate
  *******************************************************************************/
 
 package org.eclipse.dstore.internal.core.util.ssl;
@@ -25,6 +26,7 @@ import javax.net.ssl.KeyManager;
 import javax.net.ssl.KeyManagerFactory;
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.TrustManager;
+import javax.net.ssl.X509KeyManager;
 
 import org.eclipse.dstore.core.util.ssl.BaseSSLContext;
 import org.eclipse.dstore.core.util.ssl.DStoreKeyStore;
@@ -46,10 +48,27 @@ public class DStoreSSLContext
 				KeyStore ks = DStoreKeyStore.getKeyStore(filePath, password);
 				String keymgrAlgorithm = KeyManagerFactory.getDefaultAlgorithm();
 				KeyManagerFactory kmf = KeyManagerFactory.getInstance(keymgrAlgorithm);
-				kmf.init(ks, password.toCharArray());				
-
+				kmf.init(ks, password.toCharArray());								
+	
 				serverContext = SSLContext.getInstance("SSL"); //$NON-NLS-1$
-				serverContext.init(kmf.getKeyManagers(), null, null);
+				
+				keyManagers = kmf.getKeyManagers();
+				
+				// read optional system property that indicates a default certificate alias
+				String defaultAlias = System.getProperty("DSTORE_DEFAULT_CERTIFICATE_ALIAS"); //$NON-NLS-1$
+				if (defaultAlias != null){
+					KeyManager[] x509KeyManagers = new X509KeyManager[10];
+				
+					for(int i=0;i<keyManagers.length; i++){
+						if(keyManagers[i] instanceof X509KeyManager){						
+							x509KeyManagers[i] = new DStoreKeyManager((X509KeyManager)keyManagers[i], defaultAlias);
+						}
+					}								
+					serverContext.init(x509KeyManagers, null, null);
+				}
+				else {
+					serverContext.init(keyManagers, null, null);
+				}
 			}
 			else
 			{
diff --git a/rse/plugins/org.eclipse.dstore.core/src/org/eclipse/dstore/internal/core/util/ssl/DataStoreTrustManager.java b/rse/plugins/org.eclipse.dstore.core/src/org/eclipse/dstore/internal/core/util/ssl/DataStoreTrustManager.java
index 3ba6a3f663c..fd18725f349 100644
--- a/rse/plugins/org.eclipse.dstore.core/src/org/eclipse/dstore/internal/core/util/ssl/DataStoreTrustManager.java
+++ b/rse/plugins/org.eclipse.dstore.core/src/org/eclipse/dstore/internal/core/util/ssl/DataStoreTrustManager.java
@@ -1,5 +1,5 @@
 /*******************************************************************************
- * Copyright (c) 2006, 2008 IBM Corporation and others.
+ * Copyright (c) 2006, 2009 IBM Corporation and others.
  * All rights reserved. This program and the accompanying materials
  * are made available under the terms of the Eclipse Public License v1.0
  * which accompanies this distribution, and is available at
@@ -13,6 +13,7 @@
  * 
  * Contributors:
  * David McKnight   (IBM) - [225507][api][breaking] RSE dstore API leaks non-API types
+ * David McKnight   (IBM) - [264858] [dstore] OpenRSE always picks the first trusted certificate
  *******************************************************************************/
 
 package org.eclipse.dstore.internal.core.util.ssl;
@@ -111,8 +112,10 @@ public class DataStoreTrustManager implements IDataStoreTrustManager
 					X509Certificate tcert = (X509Certificate)_trustedCerts.get(j);
 					try
 					{
-						cert.verify(tcert.getPublicKey());
-						foundMatch = true;
+						if (cert.getSubjectDN().equals(tcert.getIssuerDN())) {
+							cert.verify(tcert.getPublicKey());
+							foundMatch = true;
+						}
 					}
 					catch (Exception e)
 					{