On Tue, Jul 14, 2026 at 10:03 PM Chuck Caldarale <[email protected]> wrote: > > > > On Jul 14, 2026, at 06:40:59, John Mok <[email protected]> wrote: > > > > Hi all, > > > > Trying to use MLDSA certificate on Tomcat 10 + OpenJDK 21, but failed > > (see error messages below). > > > Exact Tomcat and JVM versions? You should always specify those, along with > the platform you’re running on. > > > > I hope someone could point me in the right direction. > > > > server.xml configuration > > ================== > > > > <Connector port="8443" > > protocol="org.apache.coyote.http11.Http11NioProtocol" > > maxThreads="150" SSLEnabled="true" > > maxParameterCount="1000" > >> > > <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" /> > > <SSLHostConfig> > > <Certificate certificateKeystoreFile="conf/tomcat10-1.jks" > > certificateKeystorePassword="changeit" type="MLDSA" > > /> > > </SSLHostConfig> > > </Connector> > > > It looks like you’re trying to use the JVM JSSE provider, but AFAICT, JVM 21 > does not support MLDSA certificates; you would need JVM 24 or 25 for that.
And it's not really going to work anyway. > Current versions of OpenSSL do support MLDSA, but you have to specify that in > your <Connector> configuration. Take a look at: > > https://tomcat.apache.org/tomcat-10.1-doc/ssl-howto.html#SSL_and_Tomcat > https://tomcat.apache.org/tomcat-10.1-doc/config/http.html#SSL_Support_-_Connector_-_NIO_and_NIO2 You can have the OpenSSL listener enabled in server.xml, OpenSSL in your system, and Java 25, and it works. <Listener className="org.apache.catalina.core.OpenSSLLifecycleListener" SSLEngine="on" /> Or use tomcat-native if running on older Java versions. Also for now it's best to avoid using a keystore. Rémy > - Chuck > > > > =================== > > > > Catalina log reads > > > > 14-Jul-2026 18:51:34.645 SEVERE [main] > > org.apache.catalina.util.LifecycleBase.handleSubClassException Failed > > to initialize component [Connector["https-jsse-nio2-8443"]] > > org.apache.catalina.LifecycleException: Protocol handler initialization > > failed > > at org.apache.catalina.connector.Connector.initInternal(Connector.java:1084) > > at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:122) > > at > > org.apache.catalina.core.StandardService.initInternal(StandardService.java:520) > > at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:122) > > at > > org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:955) > > at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:122) > > at org.apache.catalina.startup.Catalina.load(Catalina.java:709) > > at org.apache.catalina.startup.Catalina.load(Catalina.java:732) > > at > > java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103) > > at java.base/java.lang.reflect.Method.invoke(Method.java:580) > > at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:299) > > at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:472) > > Caused by: java.lang.IllegalArgumentException: Error creating SSLContext > > at > > org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:121) > > at > > org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:78) > > at org.apache.tomcat.util.net.Nio2Endpoint.bind(Nio2Endpoint.java:137) > > at > > org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1434) > > at > > org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1447) > > at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:932) > > at > > org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:82) > > at org.apache.catalina.connector.Connector.initInternal(Connector.java:1082) > > ... 11 more > > Caused by: java.security.UnrecoverableKeyException: Get Key failed: > > Given final block not properly padded. Such issues can arise if a bad > > key is used during decryption. > > at > > java.base/sun.security.pkcs12.PKCS12KeyStore.internalGetKey(PKCS12KeyStore.java:458) > > at > > java.base/sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:300) > > at > > java.base/sun.security.util.KeyStoreDelegator.engineGetKey(KeyStoreDelegator.java:93) > > at java.base/java.security.KeyStore.getKey(KeyStore.java:1095) > > at > > org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:384) > > at > > org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:265) > > at > > org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:119) > > ... 18 more > > Caused by: javax.crypto.BadPaddingException: Given final block not > > properly padded. Such issues can arise if a bad key is used during > > decryption. > > at java.base/com.sun.crypto.provider.CipherCore.unpad(CipherCore.java:861) > > at > > java.base/com.sun.crypto.provider.CipherCore.fillOutputBuffer(CipherCore.java:941) > > at java.base/com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:734) > > at > > java.base/com.sun.crypto.provider.PBES2Core.engineDoFinal(PBES2Core.java:203) > > at java.base/javax.crypto.Cipher.doFinal(Cipher.java:2265) > > at > > java.base/sun.security.pkcs12.PKCS12KeyStore.lambda$internalGetKey$0(PKCS12KeyStore.java:374) > > at > > java.base/sun.security.pkcs12.PKCS12KeyStore$RetryWithZero.run(PKCS12KeyStore.java:257) > > at > > java.base/sun.security.pkcs12.PKCS12KeyStore.internalGetKey(PKCS12KeyStore.java:365) > > ... 24 more > > 14-Jul-2026 18:51:34.648 INFO [main] > > org.apache.catalina.startup.Catalina.load Server initialization in > > [6138] milliseconds > > > > Thank you, > > John MOK > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [email protected] > > For additional commands, e-mail: [email protected] > > > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
