I defined a keystore with no password and a password for the key. I then run the following code: SSLHostConfig shc = new SSLHostConfig(); shc.setProtocols("TLSv1.2"); shc.setCertificateKeystoreFile("file:testenv/conf/keystore.p12"); shc.setCertificateKeystorePassword(""); shc.setCertificateKeystoreType("PKCS12"); shc.setCertificateKeyPassword("azerty"); shc.setHostName("_default_"); NioEndpoint v = new NioEndpoint(); v.setSSLEnabled(true); v.addSslHostConfig(shc); v.bind(); I'm getting this stack: java.lang.IllegalArgumentException: Private key must be accompanied by certificate chain at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsse ... Caused by: java.lang.IllegalArgumentException: Private key must be accompanied by certificate chain at java.security.KeyStore.setKeyEntry(KeyStore.java:1136) at org.apache.tomcat.util.net.jsse.JSSEUtil.getKeyManagers(JSSEUtil.java:257) at If a define a password for both or the password is defined only for the keystore, it works. If keystore without password is not allowed, a better message should be provided.
This looks like a malformed key store. Steps to reproduce (or at least to create the keystore) please.
I generated this key store using http://keystore-explorer.org. I switched many times between empty password, defined password for store or the key. From the 4 possible configurations, only the one where certificateKeystorePassword is defined works. As soon as I remove it, I got this exception. When I put it back, it's ok.
Which version of Java are you running Tomcat with?
Oracle 1.8.0_162
Thanks. I can now see what is happening. In Java 6 and earlier, the KeyStore implementation didn't support the empty String as a valid password. Tomcat therefore converted it to null. KeyStore doesn't return certificates if null is provided for the KeyStore password. As of Java 7 (the latest version at least), KeyStore does support empty passwords. We need to make some changes to allow empty passwords to be used. For 8.5.x onwards it should be fairly easy since they require Java 7 as a minimum. 7.0.x will be a little trickier as it has a minimum requirement of Java 6.
Fixed in: - trunk for 9.0.11 onwards - 8.5.x for 8.5.33 onwards - 7.0.x for 7.0.91 onwards