One can run Jenkins with HTTPS support by setting the --httpsPort parameter. One can also use the --httpsKeyStore parameter to select the keystore that contains the SSL/TLS certificate that Jenkins (Winstone -> Jetty) should use on the HTTPS port.

Just if for whatever reason the keystore does contain more than one certificate, it will be somewhat chance which one is chosen. (Might be the first, last, not sure.)

Jetty (which is the engine used underneath Winstone in recent versions of Jenkins) has a CertAlias property which sets the alias name of the certificate to be used.

Just right now, there is no way to specify that parameter on the Jenkins command line. I think it would make sense to implement a --httpsCertAlias parameter on the Jenkins command line which will then be passed down to Jetty.

(On the same subject, there is --httpsKeyStorePassword parameter but no --httpsKeyPassword parameter. This will cause problems if the password of the private key of the keystore is different from the password of the certificates private key, which is a scenario that's even enforced to some extend in newer versions of the JVM keytool tool.)