I still don't understand what you mean. Coyote doesn't implement SSL certificates. It uses an existing SSL implementation to set up a secure connector.
Coyote doesn't store or create key stores. If you use OpenSSL as your SSL implementation, Coyote needs a path to a PEM-encoded key file. If you use JSSE as your SSL implementation, Coyote might use a key store. Either way, YOU are responsible for creating and managing the keys.
You use a keystore if Tomcat is handling SSL/HTTPS itself. You use a Coyote connector if you're using Apache to handle the HTTPS traffic and proxying it to Tomcat.
It's really kind of apples and oranges. In theory, someone could tap into the Coyote data stream and man-in-the-middle between Apache and Tomcat, but that would indicate you're got really rotten internal network security - especially if Tomcat is accessed as a localhost.
On the other hand, the only way for Tomcat to be able to listen directly on port 443 is to either run Tomcat as an administrator (BAD IDEA!) or use a port-forwarder to route incoming traffic from port 443 to port 8443 (or whatever Tomcat's using).
Personally, I prefer neither. I'm using Nginx as my primary external web contact point and it's using HTTP proxying to Tomcat. Coyote uses the AJP protocol, but that's specific to Apache. Since I run all that stuff in my DMZ, there's little difference in security.
So one reason I proxy is to simplify the external contact points for all my back-end servers and apps and have centralized cert management for both Java and non-Java apps..
The other reason is that it's kind of a pain to set up a keystore, since step 1 usually involves taking an Apache cert and key and converting them to a format that the keystore will love.
Sources may include data from the Fakebook Research Foundation with support from Gargle University