Skip to content

SSL Windows Certification Error on Tomcat 9

SSL is enabled in my server Tomcat 7.0.108. I enabled it according to this answer https://stackoverflow.com/a/48883483

My Connector in serverx.xml is :

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
           maxHttpHeaderSize="65536"
           maxThreads="200"
           scheme="https" secure="true" SSLEnabled="true"
           clientAuth="false"
           sslProtocol="TLS"
           keyAlias="tomcat"
           keystoreFile=""
           keystorePass=""
           keystoreType="Windows-My">
</Connector>

But, in Tomcat 9.0.45 same configuration has an error.

org.apache.tomcat.util.net.openssl.OpenSSLContext.init Error initializing SSL context
    java.lang.NullPointerException
        at java.util.Base64$Encoder.encode(Base64.java:261)
        at java.util.Base64$Encoder.encodeToString(Base64.java:315)
        at org.apache.tomcat.util.net.openssl.OpenSSLContext.addCertificate(OpenSSLContext.java:405)
        at org.apache.tomcat.util.net.openssl.OpenSSLContext.init(OpenSSLContext.java:250)

Is anyone enable SSL with Tomcat 9 using Windows Certs?

Answer

The error is caused by the SSLImplementation selected by Tomcat: the OpenSSLImplementation requires direct access to the private key, which is impossible if you use the Windows-MY keystore.

You just need to switch to JSSEImplementation, which results in the following configuration:

<Connector port="8443"
           sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
           scheme="https" secure="true" SSLEnabled="true">
    <SSLHostConfig>
        <Certificate certificateKeystoreType="Windows-MY"
                     certificateKeystoreFile=""
                     certificateKeyAlias="tomcat" />
    </SSLHostConfig>
</Connector>

The default value of sslImplementationName automatically switches from JSSEImplementation to OpenSSLImplementation, whenever the Tomcat Native library is present (which is common on Windows): cf. Tomcat Documentation.

Remark that since Tomcat 8.5 the SSL configuration syntax changed. The one you use in your question has been deprecated in Tomcat 8.5 and removed from Tomcat 10.0.