> On Jul 14, 2026, at 06:40:59, John Mok <[email protected]> wrote:
> 
> Hi all,
> 
> Trying to use MLDSA certificate on Tomcat 10 + OpenJDK 21, but failed
> (see error messages below).


Exact Tomcat and JVM versions? You should always specify those, along with the 
platform you’re running on.


> I hope someone could point me in the right direction.
> 
> server.xml configuration
> ==================
> 
>    <Connector port="8443" 
> protocol="org.apache.coyote.http11.Http11NioProtocol"
>               maxThreads="150" SSLEnabled="true"
>               maxParameterCount="1000"
>> 
>        <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
>        <SSLHostConfig>
>            <Certificate certificateKeystoreFile="conf/tomcat10-1.jks"
>                         certificateKeystorePassword="changeit" type="MLDSA" />
>        </SSLHostConfig>
>    </Connector>


It looks like you’re trying to use the JVM JSSE provider, but AFAICT, JVM 21 
does not support MLDSA certificates; you would need JVM 24 or 25 for that.

Current versions of OpenSSL do support MLDSA, but you have to specify that in 
your <Connector> configuration. Take a look at:

https://tomcat.apache.org/tomcat-10.1-doc/ssl-howto.html#SSL_and_Tomcat
https://tomcat.apache.org/tomcat-10.1-doc/config/http.html#SSL_Support_-_Connector_-_NIO_and_NIO2

  - Chuck


> ===================
> 
> Catalina log reads
> 
> 14-Jul-2026 18:51:34.645 SEVERE [main]
> org.apache.catalina.util.LifecycleBase.handleSubClassException Failed
> to initialize component [Connector["https-jsse-nio2-8443"]]
> org.apache.catalina.LifecycleException: Protocol handler initialization failed
> at org.apache.catalina.connector.Connector.initInternal(Connector.java:1084)
> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:122)
> at 
> org.apache.catalina.core.StandardService.initInternal(StandardService.java:520)
> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:122)
> at 
> org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:955)
> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:122)
> at org.apache.catalina.startup.Catalina.load(Catalina.java:709)
> at org.apache.catalina.startup.Catalina.load(Catalina.java:732)
> at 
> java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103)
> at java.base/java.lang.reflect.Method.invoke(Method.java:580)
> at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:299)
> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:472)
> Caused by: java.lang.IllegalArgumentException: Error creating SSLContext
> at 
> org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:121)
> at 
> org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:78)
> at org.apache.tomcat.util.net.Nio2Endpoint.bind(Nio2Endpoint.java:137)
> at 
> org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1434)
> at 
> org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1447)
> at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:932)
> at 
> org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:82)
> at org.apache.catalina.connector.Connector.initInternal(Connector.java:1082)
> ... 11 more
> Caused by: java.security.UnrecoverableKeyException: Get Key failed:
> Given final block not properly padded. Such issues can arise if a bad
> key is used during decryption.
> at 
> java.base/sun.security.pkcs12.PKCS12KeyStore.internalGetKey(PKCS12KeyStore.java:458)
> at 
> java.base/sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:300)
> at 
> java.base/sun.security.util.KeyStoreDelegator.engineGetKey(KeyStoreDelegator.java:93)
> at java.base/java.security.KeyStore.getKey(KeyStore.java:1095)
> at org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:384)
> at 
> org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:265)
> at 
> org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:119)
> ... 18 more
> Caused by: javax.crypto.BadPaddingException: Given final block not
> properly padded. Such issues can arise if a bad key is used during
> decryption.
> at java.base/com.sun.crypto.provider.CipherCore.unpad(CipherCore.java:861)
> at 
> java.base/com.sun.crypto.provider.CipherCore.fillOutputBuffer(CipherCore.java:941)
> at java.base/com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:734)
> at 
> java.base/com.sun.crypto.provider.PBES2Core.engineDoFinal(PBES2Core.java:203)
> at java.base/javax.crypto.Cipher.doFinal(Cipher.java:2265)
> at 
> java.base/sun.security.pkcs12.PKCS12KeyStore.lambda$internalGetKey$0(PKCS12KeyStore.java:374)
> at 
> java.base/sun.security.pkcs12.PKCS12KeyStore$RetryWithZero.run(PKCS12KeyStore.java:257)
> at 
> java.base/sun.security.pkcs12.PKCS12KeyStore.internalGetKey(PKCS12KeyStore.java:365)
> ... 24 more
> 14-Jul-2026 18:51:34.648 INFO [main]
> org.apache.catalina.startup.Catalina.load Server initialization in
> [6138] milliseconds
> 
> Thank you,
> John MOK
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [email protected]
> For additional commands, e-mail: [email protected]
> 

Reply via email to