I recently encountered the error message ERR_SSL_KEY_USAGE_INCOMPATIBLE in chrome using a self signed certificate. I spent hours trying to solve the problem before finally re-generating the certificate with:
openssl req -new -x509 -days 36500 -nodes -newkey rsa:2048 -keyout cert.key -out cert.crt -extensions v3_req
Hope this helps someone else.
22 Answers
I solve this problem by changing to keyUsage = keyEncipherment, dataEnciphermentkeyUsage = nonRepudiation, digitalSignature, keyEncipherment in the section v3_req in file req.conf like acme.sh does, There's no error with chrome 75 now.
My problem might be a little different. It is ok with original configuration with tls1.2, but ERR_SSL_KEY_USAGE_INCOMPATIBLE with tls1.3.
The command to generate certification is as following.
openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout cert.key -out cert.cer -config req.conf -extensions v3_req full content of my req.conf
[req] distinguished_name = req_distinguished_name x509_extensions = v3_req prompt = no [req_distinguished_name] # C = US # ST = California # L = Los Angeles # O = Internet Corporation for Assigned Names and Numbers # OU = IT Operations CN = home.arpa [v3_req] keyUsage = nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1 = home.arpa DNS.2 = *.home.arpa IP.1 = 192.168.1.1 IP.2 = fe80::123:4567:89ab:cdef 4This issue is related to the value of the 'KeyUsage' parameter in the SSL config of 'v3_req'.
Removing 'KeyUsage' from the config will imply that any usage is valid for the certificate. For some reason (which I haven't yet determined) if keyusage is specified Chrome 75/76 will reject the Key for self-signed certificates over localhost.
Removing the 'KeyUsage' paramater from v3_req and regenerating the certifcate fixes the issue, hence the command posted by Tiffany will work as no KeyUsage is specified.
1