Tomcat cannot restart with error "ssl_no_cypher_overlap"

Usually, this error can be seen in Tomcat servlet container restart error logs (catalina.out), or in the browser while attempting to make a secure connection to your website.


This error refers to the fact that a private key has been generated using unknown or obsolete ciphers. This means the following command has been used for keystore generation:

keytool -genkey -keysize 2048 -alias 'keystore alias' -keystore 'your keystore'.jks

By default, Tomcat keytool instance generates the private key using a DSA algorithm that is now obsolete.

The command used for test keystore is:

keytool -genkey -alias tomcat -keystore /root/ssltest/test_test_test.jks

*omitted -keyalg RSA and -keysize flags.


During the certificate issuance, the public key is converted to standard RSA and embedded in the body of the signed and issued certificate. So in this case, since there is no similar algorithm overlapping, an error occurs.

The solution is rather straightforward - simply reissue the certificate with a new keystore. You must specify -keyalg RSA to make sure that the key is generated using that algorithm.

The procedure is as follows:

  1. Generate a new keystore.
    The correct command to create a new keystore is:

    keytool -genkey -keyalg RSA -keysize 2048 -alias 'keystore alias' -keystore 'your new keystore'.jks

  2. Generate a new CSR
    Once a keystore is created, a new CSR should be generated.
  3. Reissue of the certificate
    Once the CSR is obtained, check it here and proceed to the reissue.
21886 times

Need help? We're always here for you.