Hello, I am servicing Tomcat 7 and Java 6 on a Windows server. I received a certificate from let's encrypt and converted it to pem -> pk12 -> jks and applied it. Then, when I connect, an error called ERR_SSL_KEY_USAGE_INCOMPATIBLE appears. help.
Is it possible that Java 6 is not supported? ISRG root 1 doesn't seem to have java6.
Well, firstly, unless you're one of the few paying customers who still has access to extended support, Java 6 has been out of support for over 11(!) years. According to an internet search, the last publicly available version of Java 6 does not support anything better than TLSv1.1, only supports 1024-bit DHE (or static) key exchanges, and is vulnerable to several remote code execution vulnerabilities. I strongly suggest to not connect anything running plain old Java 6 to the public internet.
5 Likes
ERR_SSL_KEY_USAGE_INCOMPATIBLE sounds like an error from Chrome/Edge when a cert with a bad “key usage” field is encountered, which is most common in misconfigured self-signed certificates, and shouldn’t happen with any Let’s Encrypt certificate.
That suggests to me you aren’t using the certificate you think you are. Can you view the certificate from the browser that’s giving that error?
6 Likes
A lot of companies do not have the resources to migrate legacy software to newer platforms. A good strategy for these situations is to use a gateway server to terminate TLS, so modern ciphers and protocols can be used. Often times, there will be modern security packages installed on this as well, to defend against common attack vectors.
8 Likes
I second that, and even just running Tomcat as http on a high port (behind the firewall) and proxying that with IIS, caddy on the same server etc will give you a much more easy to maintain TLS setup.
4 Likes
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.