Moin Rémy, >Also for now it's best to avoid using a keystore.
Only in this case or in general? Could you elaborate? (please) Thanks & Ciao, Andreas -----Ursprüngliche Nachricht----- Von: Rémy Maucherat <[email protected]> Gesendet: Mittwoch, 15. Juli 2026 09:52 An: Tomcat Users List <[email protected]> Betreff: Re: Tomcat 10 MLDSA - failed to start ********************************************************************** On Tue, Jul 14, 2026 at 10:03 PM Chuck Caldarale <[email protected]> wrote: > > > > On Jul 14, 2026, at 06:40:59, John Mok <[email protected]> wrote: > > > > Hi all, > > > > Trying to use MLDSA certificate on Tomcat 10 + OpenJDK 21, but > > failed (see error messages below). > > > Exact Tomcat and JVM versions? You should always specify those, along with > the platform you’re running on. > > > > I hope someone could point me in the right direction. > > > > server.xml configuration > > ================== > > > > <Connector port="8443" > > protocol="org.apache.coyote.http11.Http11NioProtocol" > > maxThreads="150" SSLEnabled="true" > > maxParameterCount="1000" > >> > > <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" /> > > <SSLHostConfig> > > <Certificate certificateKeystoreFile="conf/tomcat10-1.jks" > > certificateKeystorePassword="changeit" type="MLDSA" > > /> > > </SSLHostConfig> > > </Connector> > > > It looks like you’re trying to use the JVM JSSE provider, but AFAICT, JVM 21 > does not support MLDSA certificates; you would need JVM 24 or 25 for that. And it's not really going to work anyway. > Current versions of OpenSSL do support MLDSA, but you have to specify that in > your <Connector> configuration. Take a look at: > > https://urldefense.com/v3/__https://tomcat.apache.org/tomcat-10.1-doc/ > ssl-howto.html*SSL_and_Tomcat__;Iw!!L8-7AA!WI4NO90wjMQuqmkSVyW4UTRf2eq > aYZqBsVd98LcK7-cUst5xamOXUtUXIgwcjOU9seYVXhVTkq-QjxU$ > https://urldefense.com/v3/__https://tomcat.apache.org/tomcat-10.1-doc/ > config/http.html*SSL_Support_-_Connector_-_NIO_and_NIO2__;Iw!!L8-7AA!W > I4NO90wjMQuqmkSVyW4UTRf2eqaYZqBsVd98LcK7-cUst5xamOXUtUXIgwcjOU9seYVXhV > TArzLakQ$ You can have the OpenSSL listener enabled in server.xml, OpenSSL in your system, and Java 25, and it works. <Listener className="org.apache.catalina.core.OpenSSLLifecycleListener" SSLEngine="on" /> Or use tomcat-native if running on older Java versions. Also for now it's best to avoid using a keystore. Rémy > - Chuck > > > > =================== > > > > Catalina log reads > > > > 14-Jul-2026 18:51:34.645 SEVERE [main] > > org.apache.catalina.util.LifecycleBase.handleSubClassException > > Failed to initialize component [Connector["https-jsse-nio2-8443"]] > > org.apache.catalina.LifecycleException: Protocol handler > > initialization failed at > > org.apache.catalina.connector.Connector.initInternal(Connector.java: > > 1084) at > > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:122) > > at > > org.apache.catalina.core.StandardService.initInternal(StandardServic > > e.java:520) at > > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:122) > > at > > org.apache.catalina.core.StandardServer.initInternal(StandardServer. > > java:955) at > > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:122) > > at org.apache.catalina.startup.Catalina.load(Catalina.java:709) > > at org.apache.catalina.startup.Catalina.load(Catalina.java:732) > > at > > java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(Dir > > ectMethodHandleAccessor.java:103) at > > java.base/java.lang.reflect.Method.invoke(Method.java:580) > > at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:299) > > at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:472) > > Caused by: java.lang.IllegalArgumentException: Error creating > > SSLContext at > > org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(Abs > > tractJsseEndpoint.java:121) at > > org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(Abstra > > ctJsseEndpoint.java:78) at > > org.apache.tomcat.util.net.Nio2Endpoint.bind(Nio2Endpoint.java:137) > > at > > org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(Abstract > > Endpoint.java:1434) at > > org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.ja > > va:1447) at > > org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:932) > > at > > org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11P > > rotocol.java:82) at > > org.apache.catalina.connector.Connector.initInternal(Connector.java: > > 1082) > > ... 11 more > > Caused by: java.security.UnrecoverableKeyException: Get Key failed: > > Given final block not properly padded. Such issues can arise if a > > bad key is used during decryption. > > at > > java.base/sun.security.pkcs12.PKCS12KeyStore.internalGetKey(PKCS12Ke > > yStore.java:458) at > > java.base/sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyS > > tore.java:300) at > > java.base/sun.security.util.KeyStoreDelegator.engineGetKey(KeyStoreD > > elegator.java:93) at > > java.base/java.security.KeyStore.getKey(KeyStore.java:1095) > > at > > org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.ja > > va:384) at > > org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase. > > java:265) at > > org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(Abs > > tractJsseEndpoint.java:119) > > ... 18 more > > Caused by: javax.crypto.BadPaddingException: Given final block not > > properly padded. Such issues can arise if a bad key is used during > > decryption. > > at > > java.base/com.sun.crypto.provider.CipherCore.unpad(CipherCore.java:8 > > 61) at > > java.base/com.sun.crypto.provider.CipherCore.fillOutputBuffer(Cipher > > Core.java:941) at > > java.base/com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java > > :734) at > > java.base/com.sun.crypto.provider.PBES2Core.engineDoFinal(PBES2Core. > > java:203) at java.base/javax.crypto.Cipher.doFinal(Cipher.java:2265) > > at > > java.base/sun.security.pkcs12.PKCS12KeyStore.lambda$internalGetKey$0 > > (PKCS12KeyStore.java:374) at > > java.base/sun.security.pkcs12.PKCS12KeyStore$RetryWithZero.run(PKCS1 > > 2KeyStore.java:257) at > > java.base/sun.security.pkcs12.PKCS12KeyStore.internalGetKey(PKCS12Ke > > yStore.java:365) > > ... 24 more > > 14-Jul-2026 18:51:34.648 INFO [main] > > org.apache.catalina.startup.Catalina.load Server initialization in > > [6138] milliseconds > > > > Thank you, > > John MOK > > > > -------------------------------------------------------------------- > > - To unsubscribe, e-mail: [email protected] > > For additional commands, e-mail: [email protected] > > > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected] This message and any attachments are intended only for the use of the addressee and may contain information that is privileged and confidential. If the reader of the message is not the intended recipient or an authorized representative of the intended recipient, you are hereby notified that any dissemination of this communication is strictly prohibited. If you have received this communication in error, notify the sender immediately by return email and delete the message and any attachments from your system. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
