SSL Windows Certification Error on Tomcat 9



SSL is enabled in my server Tomcat 7.0.108. I enabled it according to this answer https://stackoverflow.com/a/48883483

My Connector in serverx.xml is :

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
           maxHttpHeaderSize="65536"
           maxThreads="200"
           scheme="https" secure="true" SSLEnabled="true"
           clientAuth="false"
           sslProtocol="TLS"
           keyAlias="tomcat"
           keystoreFile=""
           keystorePass=""
           keystoreType="Windows-My">
</Connector>

But, in Tomcat 9.0.45 same configuration has an error.

org.apache.tomcat.util.net.openssl.OpenSSLContext.init Error initializing SSL context
    java.lang.NullPointerException
        at java.util.Base64$Encoder.encode(Base64.java:261)
        at java.util.Base64$Encoder.encodeToString(Base64.java:315)
        at org.apache.tomcat.util.net.openssl.OpenSSLContext.addCertificate(OpenSSLContext.java:405)
        at org.apache.tomcat.util.net.openssl.OpenSSLContext.init(OpenSSLContext.java:250)

Is anyone enable SSL with Tomcat 9 using Windows Certs?

Answer

The error is caused by the SSLImplementation selected by Tomcat: the OpenSSLImplementation requires direct access to the private key, which is impossible if you use the Windows-MY keystore.

You just need to switch to JSSEImplementation, which results in the following configuration:

<Connector port="8443"
           sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
           scheme="https" secure="true" SSLEnabled="true">
    <SSLHostConfig>
        <Certificate certificateKeystoreType="Windows-MY"
                     certificateKeystoreFile=""
                     certificateKeyAlias="tomcat" />
    </SSLHostConfig>
</Connector>

The default value of sslImplementationName automatically switches from JSSEImplementation to OpenSSLImplementation, whenever the Tomcat Native library is present (which is common on Windows): cf. Tomcat Documentation.

Remark that since Tomcat 8.5 the SSL configuration syntax changed. The one you use in your question has been deprecated in Tomcat 8.5 and removed from Tomcat 10.0.



Source: stackoverflow