Just to follow up to my own post:
This problem was resolved by Zimbra Support. In addition to the certificate files, Sun java keeps certificates in a keystore file. Here is the solution as received from support:
The keystore showed still the old certificate entry for tomcat now that we have moved to jetty
keytool -list -keystore /opt/zimbra/mailboxd/etc/keystore -storepass `zmlocalconfig -s -m nokey mailboxd_keystore_password`
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 2 entries
jetty, Jan 8, 2008 , PrivateKeyEntry,
Certificate fingerprint (MD5): xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx
tomcat, Jun 5, 2006 , PrivateKeyEntry,
Certificate fingerprint (MD5): xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx
Deleted tomcat alias with
keytool -delete -alias tomcat -keystore /opt/zimbra/mailboxd/etc/keystore -storepass `zmlocalconfig -s -m nokey mailboxd_keystore_password`
zmcontrol stop
zmcontrol start
Hopefully, this will help someone else with similar problems.
Wendell