If you install a certificate for your server into an external PKCS #11 module, for example, a hardware accelerator, the server will not be able to start using that certificate until you edit the server.xml file or specify the certificate name as described below.
The server always tries to start with the certificate named Server-Cert. However, certificates in external PKCS #11 modules include one of the module’s token names in their identifier. For example, a server certificate installed on an external smartcard reader called smartcard0 would be named smartcard0:Server-Cert.
To start a server with a certificate installed in an external module, you must specify the certificate name for the listen socket on which it runs.