ERR_SSL_KEY_USAGE_INCOMPATIBLE Solution
Solution 1
I solve this problem by changing keyUsage = keyEncipherment, dataEnciphermentkeyUsage = nonRepudiation, digitalSignature, keyEncipherment in the section v3_req in file req.conf like acme.sh does, There's no error with chrome 75 now.
My problem might be a little different. It is ok with original configuration with tls1.2, but ERR_SSL_KEY_USAGE_INCOMPATIBLE with tls1.3.
The command to generate certification is as following.
openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout cert.key -out cert.cer -config req.conf -extensions v3_req
full content of my req.conf
[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
# C = US
# ST = California
# L = Los Angeles
# O = Internet Corporation for Assigned Names and Numbers
# OU = IT Operations
CN = home.arpa
[v3_req]
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = home.arpa
DNS.2 = *.home.arpa
IP.1 = 192.168.1.1
IP.2 = fe80::123:4567:89ab:cdef
Solution 2
This issue is related to the value of the 'KeyUsage' parameter in the SSL config of 'v3_req'.
Removing 'KeyUsage' from the config will imply that any usage is valid for the certificate. For some reason (which I haven't yet determined) if keyusage is specified Chrome 75/76 will reject the Key for self-signed certificates over localhost.
Removing the 'KeyUsage' paramater from v3_req and regenerating the certifcate fixes the issue, hence the command posted by Tiffany will work as no KeyUsage is specified.
Related videos on Youtube
02 : 14
![[SOLVED] ERR_SSL_VERSION_OR_CIPHER_MISMATCH Error Code](https://i.ytimg.com/vi/VZmVOuQvRpU/hq720.jpg?sqp=-oaymwEcCNAFEJQDSFXyq4qpAw4IARUAAIhCGAFwAcABBg==&rs=AOn4CLDSmvK64k6ODq-4808jXqd-LMYgUQ)
07 : 25
02 : 24
05 : 02
08 : 35
Tiffany
Updated on September 18, 2022Comments
-
Tiffany over 1 year
I recently encountered the error message ERR_SSL_KEY_USAGE_INCOMPATIBLE in chrome using a self signed certificate. I spent hours trying to solve the problem before finally re-generating the certificate with:
openssl req -new -x509 -days 36500 -nodes -newkey rsa:2048 -keyout cert.key -out cert.crt -extensions v3_reqHope this helps someone else.
-
Admin almost 5 yearsActually - you want to post the solution as an answer (Its perfectly fine). Might also help to say where you're using this cert, just for completeness sake. -
Admin almost 5 yearsThis helped me with a broken CUPS ssl cert with RHEL 8.
-
-
Robert Kearns over 4 yearsYou are a lifesaver! That is exactly what it was. Thanks for your help.
-
Toglik about 4 yearsEncountered this with the application stunnel - by default the auto-generated certificate specifies
keyUsage = keyCertSignonly, resulting in this error if proxying web content. Regenerating with KeyUsage commented out in the .conf corrects the error. -
DylanYoung almost 4 yearsYou shouldn't need nonRepudiation on a server certificate from my understanding. Otherwise, great answer! Note that I imagine this error comes from this article: support.citrix.com/article/CTX135602 which seems to be just sort of wrong.
-
DylanYoung almost 4 yearsThere's super useful details here as well: superuser.com/questions/738612/openssl-ca-keyusage-extension
-
n.st almost 4 yearsI can confirm thatkeyUsage = digitalSignature, keyEnciphermentis sufficient and works in Chrome 83 (where the originalkeyUsage = keyEncipherment, dataEnciphermentdid not).
