ERR_SSL_KEY_USAGE_INCOMPATIBLE Solution
Solution 1
I solve this problem by changing to keyUsage = keyEncipherment, dataEncipherment
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
in the section v3_req
in file req.conf
like acme.sh does, There's no error with chrome 75 now.
My problem might be a little different. It is ok with original configuration with tls1.2, but ERR_SSL_KEY_USAGE_INCOMPATIBLE
with tls1.3.
The command to generate certification is as following.
openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout cert.key -out cert.cer -config req.conf -extensions v3_req
full content of my req.conf
[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
# C = US
# ST = California
# L = Los Angeles
# O = Internet Corporation for Assigned Names and Numbers
# OU = IT Operations
CN = home.arpa
[v3_req]
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = home.arpa
DNS.2 = *.home.arpa
IP.1 = 192.168.1.1
IP.2 = fe80::123:4567:89ab:cdef
Solution 2
This issue is related to the value of the 'KeyUsage' parameter in the SSL config of 'v3_req'.
Removing 'KeyUsage' from the config will imply that any usage is valid for the certificate. For some reason (which I haven't yet determined) if keyusage is specified Chrome 75/76 will reject the Key for self-signed certificates over localhost.
Removing the 'KeyUsage' paramater from v3_req and regenerating the certifcate fixes the issue, hence the command posted by Tiffany will work as no KeyUsage is specified.
Related videos on Youtube
Tiffany
Updated on September 18, 2022Comments
-
Tiffany over 1 year
I recently encountered the error message ERR_SSL_KEY_USAGE_INCOMPATIBLE in chrome using a self signed certificate. I spent hours trying to solve the problem before finally re-generating the certificate with:
openssl req -new -x509 -days 36500 -nodes -newkey rsa:2048 -keyout cert.key -out cert.crt -extensions v3_req
Hope this helps someone else.
-
Admin almost 5 yearsActually - you want to post the solution as an answer (Its perfectly fine). Might also help to say where you're using this cert, just for completeness sake.
-
Admin almost 5 yearsThis helped me with a broken CUPS ssl cert with RHEL 8.
-
-
Robert Kearns over 4 yearsYou are a lifesaver! That is exactly what it was. Thanks for your help.
-
Toglik about 4 yearsEncountered this with the application stunnel - by default the auto-generated certificate specifies
keyUsage = keyCertSign
only, resulting in this error if proxying web content. Regenerating with KeyUsage commented out in the .conf corrects the error. -
DylanYoung almost 4 yearsYou shouldn't need nonRepudiation on a server certificate from my understanding. Otherwise, great answer! Note that I imagine this error comes from this article: support.citrix.com/article/CTX135602 which seems to be just sort of wrong.
-
DylanYoung almost 4 yearsThere's super useful details here as well: superuser.com/questions/738612/openssl-ca-keyusage-extension
-
n.st almost 4 yearsI can confirm that
keyUsage = digitalSignature, keyEncipherment
is sufficient and works in Chrome 83 (where the originalkeyUsage = keyEncipherment, dataEncipherment
did not).