ERR_SSL_KEY_USAGE_INCOMPATIBLE Solution

Question

I recently encountered the error message ERR_SSL_KEY_USAGE_INCOMPATIBLE in chrome using a self signed certificate. I spent hours trying to solve the problem before finally re-generating the certificate with:

openssl req -new -x509 -days 36500 -nodes -newkey rsa:2048 -keyout cert.key -out cert.crt -extensions v3_req

Hope this helps someone else.

Actually - you want to post the solution as an answer (Its perfectly fine). Might also help to say where you're using this cert, just for completeness sake. — Journeyman Geek, Jun 23 '19 at 09:08

martian · Answer 1 · 2023-06-25T08:33:56.563

31

I solve this problem by changing ~~keyUsage = keyEncipherment, dataEncipherment~~ to keyUsage = nonRepudiation, digitalSignature, keyEncipherment in the section v3_req in file req.conf like acme.sh does, There's no error with chrome 75 now.

My problem might be a little different. It is ok with original configuration with tls1.2, but ERR_SSL_KEY_USAGE_INCOMPATIBLE with tls1.3.

The command to generate certification is as following.

openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout cert.key -out cert.crt -config req.conf -extensions v3_req

full content of my req.conf

[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
# C = US
# ST = California
# L = Los Angeles
# O = Internet Corporation for Assigned Names and Numbers
# OU = IT Operations
CN = home.arpa
[v3_req]
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = home.arpa
DNS.2 = *.home.arpa
IP.1 = 192.168.1.1
IP.2 = fe80::123:4567:89ab:cdef

edited Jun 25 '23 at 08:33

answered Aug 01 '19 at 03:01

martian

411
3
5

3

You are a lifesaver! That is exactly what it was. Thanks for your help. – Robert Kearns Dec 01 '19 at 14:56
3

You shouldn't need nonRepudiation on a server certificate from my understanding. Otherwise, great answer! Note that I imagine this error comes from this article: https://support.citrix.com/article/CTX135602 which seems to be just sort of wrong. – DylanYoung May 29 '20 at 18:54
There's super useful details here as well: https://superuser.com/questions/738612/openssl-ca-keyusage-extension – DylanYoung May 29 '20 at 18:56
2

I can confirm that `keyUsage = digitalSignature, keyEncipherment` is sufficient and works in Chrome 83 (where the original `keyUsage = keyEncipherment, dataEncipherment` did not). – n.st Jul 25 '20 at 10:33

score 4 · Answer 2 · answered Jul 31 '19 at 11:43

4

This issue is related to the value of the 'KeyUsage' parameter in the SSL config of 'v3_req'.

Removing 'KeyUsage' from the config will imply that any usage is valid for the certificate. For some reason (which I haven't yet determined) if keyusage is specified Chrome 75/76 will reject the Key for self-signed certificates over localhost.

Removing the 'KeyUsage' paramater from v3_req and regenerating the certifcate fixes the issue, hence the command posted by Tiffany will work as no KeyUsage is specified.

answered Jul 31 '19 at 11:43

Matt

51
2

Encountered this with the application [stunnel](https://stunnel.org) - by default the auto-generated certificate specifies `keyUsage = keyCertSign` only, resulting in this error if proxying web content. Regenerating with KeyUsage commented out in the .conf corrects the error. – Toglik Apr 23 '20 at 02:40

ERR_SSL_KEY_USAGE_INCOMPATIBLE Solution

2 Answers2