How to fix the ERR_SSL_KEY_USAGE_INCOMPATIBLE Microsoft Edge?

Jesse Mead 65

This is being seen when we try to go to a self signed certificate in latest version 121.0.2277.83 64-bit. We get this error ERR_SSL_KEY_USAGE_INCOMPATIBLE. Is there a fix for this?

Dennis A 5 Reputation points

2024-01-30T17:52:01.4366667+00:00

Jaden, thanks for your help, the solution worked for me. One note though - I had to use CERTLM-MMC to manually copy newly created certificate to the Trusted Root Certification Authorities store.

2 answers

Jaden Moore 60 Reputation points

2024-01-29T19:14:53.8466667+00:00
I have had this same issue all morning. My entire software infrastructure has been offline after my devices updated to Edge 121.0.2277.83 and gave me the ERR_SSL_KEY_USAGE_INCOMPATIBLE issue.

I fixed it through the following steps:

I had to create a new self signed SSL certificate through PowerShell, using the following command: New-SelfSignedCertificate -FriendlyName ANY_CERT_NAME -DnsName YOUR_SERVER_PC_NAME -KeyUsage DigitalSignature (the main change here is the KeyUsage type - the IIS Manager wouldn't let me create self signed certificates with this type).

Go into your IIS Manager, and edit your sites' bindings to use the newly created certificate. This guide shows exactly how I did it: https://docs.tenable.com/identity-exposure/Installation/Content/06_Manage/view-IIS-certificate.htm

Hope this helps.
Please sign in to rate this answer.

12 people found this answer helpful.
Edgar Bryan Lopez 0 Reputation points

2024-01-30T17:31:19.8166667+00:00

Hello, good day. I've already created the certificate with the following command: New-SelfSignedCertificate -FriendlyName ANY_CERT_NAME -DnsName Administrador -KeyUsage DigitalSignature. However, it generates a .cer certificate, and IIS does not allow me to import that type of certificate.

Dennis A 5 Reputation points

2024-01-30T17:51:20.81+00:00

Edgar, the YOUR_SERVER_PC_NAME should be your server's (DNS)name, not your username. Once you executed the command the certificate should appear both in the IIS-MMC "Server Certificates" and CERTLM-MMC. Jaden, thanks for your help, the solution worked for me. One note though - I had to use CERTLM-MMC to manually copy newly created certificate to the Trusted Root Certification Authorities store.

Henk De Groot 0 Reputation points

2024-01-31T19:38:52.5866667+00:00

Some more background information on why this is happening/need can be found here: https://stackoverflow.com/questions/77519169/err-ssl-key-usage-incompatible-error-google-chrome-this-site-cant-be-reached-mi When the self-signed certificate is only used in a local setup, you may also consider to add a registry key to windows to disable the default policy: RSAKeyUsageForLocalAnchorsEnabled.

For MS Edge the key is:

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge] "RSAKeyUsageForLocalAnchorsEnabled"=dword:00000000

For Google Chrome the key is: [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome\RSAKeyUsageForLocalAnchorsEnabled] "RSAKeyUsageForLocalAnchorsEnabled"=dword:00000000

Obvious, it is a lot easier to generate the self-signed certificate using a powershell script, which you can even enhance to automatically place it into the trusted root store and the webhosting or personal store as well.

Felix V 0 Reputation points

2024-02-01T23:29:23.41+00:00

Jaden, where can I find the cert. on the local drive? Not able to locate MMC. Thanks
Sign in to comment
Dennis A 5 Reputation points

2024-01-30T17:52:32.0966667+00:00

Jaden, thanks for your help, the solution worked for me. One note though - I had to use CERTLM-MMC to manually copy newly created certificate to the Trusted Root Certification Authorities store.
Please sign in to rate this answer.

1 person found this answer helpful.
Felix V 0 Reputation points

2024-02-01T22:50:12.87+00:00

When you MMC how and where do you copy the newly created Cert? It's not under Trusted Root Cert. Authorities - > Cert. Thanks

Donna Rothschild 0 Reputation points

2024-02-08T15:28:28.71+00:00

To bypass the ERR_SSL_KEY_USAGE_INCOMPATIBLE error when developing locally with Chrome, add the registry key in the title "RSAKeyUsageForLocalAnchorsEnabled" (sans quotes) as a new DWORD and leave the value as 0, which is False, to the following registry location "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome". This also works for the same Edge issue. Just navigate to "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge". This worked for awhile, then quit working.
Sign in to comment

Share via

How to fix the ERR_SSL_KEY_USAGE_INCOMPATIBLE Microsoft Edge?

2 answers