ERR_SSL_KEY_USAGE_INCOMPATIBLE Solution

I recently encountered the error message ERR_SSL_KEY_USAGE_INCOMPATIBLE in chrome using a self signed certificate. I spent hours trying to solve the problem before finally re-generating the certificate with:

openssl req -new -x509 -days 36500 -nodes -newkey rsa:2048 -keyout cert.key -out cert.crt -extensions v3_req

Hope this helps someone else.

2

2 Answers

I solve this problem by changing keyUsage = keyEncipherment, dataEncipherment to keyUsage = nonRepudiation, digitalSignature, keyEncipherment in the section v3_req in file req.conf like acme.sh does, There's no error with chrome 75 now.

My problem might be a little different. It is ok with original configuration with tls1.2, but ERR_SSL_KEY_USAGE_INCOMPATIBLE with tls1.3.

The command to generate certification is as following.

openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout cert.key -out cert.cer -config req.conf -extensions v3_req 

full content of my req.conf

[req] distinguished_name = req_distinguished_name x509_extensions = v3_req prompt = no [req_distinguished_name] # C = US # ST = California # L = Los Angeles # O = Internet Corporation for Assigned Names and Numbers # OU = IT Operations CN = home.arpa [v3_req] keyUsage = nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1 = home.arpa DNS.2 = *.home.arpa IP.1 = 192.168.1.1 IP.2 = fe80::123:4567:89ab:cdef 
4

This issue is related to the value of the 'KeyUsage' parameter in the SSL config of 'v3_req'.

Removing 'KeyUsage' from the config will imply that any usage is valid for the certificate. For some reason (which I haven't yet determined) if keyusage is specified Chrome 75/76 will reject the Key for self-signed certificates over localhost.

Removing the 'KeyUsage' paramater from v3_req and regenerating the certifcate fixes the issue, hence the command posted by Tiffany will work as no KeyUsage is specified.

1

You Might Also Like