On Tue, Jul 14, 2026 at 10:03 PM Chuck Caldarale <[email protected]> wrote:
>
>
> > On Jul 14, 2026, at 06:40:59, John Mok <[email protected]> wrote:
> >
> > Hi all,
> >
> > Trying to use MLDSA certificate on Tomcat 10 + OpenJDK 21, but failed
> > (see error messages below).
>
>
> Exact Tomcat and JVM versions? You should always specify those, along with 
> the platform you’re running on.
>
>
> > I hope someone could point me in the right direction.
> >
> > server.xml configuration
> > ==================
> >
> >    <Connector port="8443" 
> > protocol="org.apache.coyote.http11.Http11NioProtocol"
> >               maxThreads="150" SSLEnabled="true"
> >               maxParameterCount="1000"
> >>
> >        <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
> >        <SSLHostConfig>
> >            <Certificate certificateKeystoreFile="conf/tomcat10-1.jks"
> >                         certificateKeystorePassword="changeit" type="MLDSA" 
> > />
> >        </SSLHostConfig>
> >    </Connector>
>
>
> It looks like you’re trying to use the JVM JSSE provider, but AFAICT, JVM 21 
> does not support MLDSA certificates; you would need JVM 24 or 25 for that.

And it's not really going to work anyway.

> Current versions of OpenSSL do support MLDSA, but you have to specify that in 
> your <Connector> configuration. Take a look at:
>
> https://tomcat.apache.org/tomcat-10.1-doc/ssl-howto.html#SSL_and_Tomcat
> https://tomcat.apache.org/tomcat-10.1-doc/config/http.html#SSL_Support_-_Connector_-_NIO_and_NIO2

You can have the OpenSSL listener enabled in server.xml, OpenSSL in
your system, and Java 25, and it works.
<Listener className="org.apache.catalina.core.OpenSSLLifecycleListener"
SSLEngine="on" />
Or use tomcat-native if running on older Java versions.

Also for now it's best to avoid using a keystore.

Rémy

>   - Chuck
>
>
> > ===================
> >
> > Catalina log reads
> >
> > 14-Jul-2026 18:51:34.645 SEVERE [main]
> > org.apache.catalina.util.LifecycleBase.handleSubClassException Failed
> > to initialize component [Connector["https-jsse-nio2-8443"]]
> > org.apache.catalina.LifecycleException: Protocol handler initialization 
> > failed
> > at org.apache.catalina.connector.Connector.initInternal(Connector.java:1084)
> > at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:122)
> > at 
> > org.apache.catalina.core.StandardService.initInternal(StandardService.java:520)
> > at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:122)
> > at 
> > org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:955)
> > at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:122)
> > at org.apache.catalina.startup.Catalina.load(Catalina.java:709)
> > at org.apache.catalina.startup.Catalina.load(Catalina.java:732)
> > at 
> > java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103)
> > at java.base/java.lang.reflect.Method.invoke(Method.java:580)
> > at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:299)
> > at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:472)
> > Caused by: java.lang.IllegalArgumentException: Error creating SSLContext
> > at 
> > org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:121)
> > at 
> > org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:78)
> > at org.apache.tomcat.util.net.Nio2Endpoint.bind(Nio2Endpoint.java:137)
> > at 
> > org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1434)
> > at 
> > org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1447)
> > at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:932)
> > at 
> > org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:82)
> > at org.apache.catalina.connector.Connector.initInternal(Connector.java:1082)
> > ... 11 more
> > Caused by: java.security.UnrecoverableKeyException: Get Key failed:
> > Given final block not properly padded. Such issues can arise if a bad
> > key is used during decryption.
> > at 
> > java.base/sun.security.pkcs12.PKCS12KeyStore.internalGetKey(PKCS12KeyStore.java:458)
> > at 
> > java.base/sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:300)
> > at 
> > java.base/sun.security.util.KeyStoreDelegator.engineGetKey(KeyStoreDelegator.java:93)
> > at java.base/java.security.KeyStore.getKey(KeyStore.java:1095)
> > at 
> > org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:384)
> > at 
> > org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:265)
> > at 
> > org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:119)
> > ... 18 more
> > Caused by: javax.crypto.BadPaddingException: Given final block not
> > properly padded. Such issues can arise if a bad key is used during
> > decryption.
> > at java.base/com.sun.crypto.provider.CipherCore.unpad(CipherCore.java:861)
> > at 
> > java.base/com.sun.crypto.provider.CipherCore.fillOutputBuffer(CipherCore.java:941)
> > at java.base/com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:734)
> > at 
> > java.base/com.sun.crypto.provider.PBES2Core.engineDoFinal(PBES2Core.java:203)
> > at java.base/javax.crypto.Cipher.doFinal(Cipher.java:2265)
> > at 
> > java.base/sun.security.pkcs12.PKCS12KeyStore.lambda$internalGetKey$0(PKCS12KeyStore.java:374)
> > at 
> > java.base/sun.security.pkcs12.PKCS12KeyStore$RetryWithZero.run(PKCS12KeyStore.java:257)
> > at 
> > java.base/sun.security.pkcs12.PKCS12KeyStore.internalGetKey(PKCS12KeyStore.java:365)
> > ... 24 more
> > 14-Jul-2026 18:51:34.648 INFO [main]
> > org.apache.catalina.startup.Catalina.load Server initialization in
> > [6138] milliseconds
> >
> > Thank you,
> > John MOK
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [email protected]
> > For additional commands, e-mail: [email protected]
> >
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to