The default "SunX509" `KeyManagerFactory` for TLS now supports the same algorithm constraints and certificate check functionality as the "PKIX" `KeyManagerFactory`. Selection and prioritization of the local certificates chosen by the `KeyManager` is based on the following checks:

1) Local certificates are checked against peer supported certificate signature algorithms sent with the `signature_algorithms_cert` TLS extension.
2) Local certificates are checked against TLS algorithm constraints specified in the `jdk.tls.disabledAlgorithms` and `jdk.certpath.disabledAlgorithms` security properties.
3) Local certificates are prioritized based on validity period and certificate extensions.

The legacy behavior (no checking of local certificates) of the "SunX509" key manager can be restored by setting the `jdk.tls.SunX509KeyManager.certChecking` system property to `false`.