Share via

ERR_SSL_KEY_USAGE_INCOMPATIBLE

Benjamin Bell 0 Reputation points
2024-02-03T06:07:12.0633333+00:00

Whenever I try to access an on premise machine that has a self-signed certificate assigned to it, Microsoft Edge will give me the ERR_SSL_KEY_USAGE_INCOMPATIBLE error message in return. I've never encountered this error before when accessing this machine. Does Edge no longer allow you to access sites that have self-signed certificates assigned to it?

Microsoft Edge Microsoft Edge development
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Jinxin Wang (Shanghai Wicresoft Co Ltd) 2,195 Reputation points Microsoft External Staff
    2024-02-05T06:23:58.48+00:00

    Hi @Benjamin Bell

    You can try the workaround to resolve this issue:

    1. After win+r opens, enter "regedit" and navigate as follows: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge.

    2.Create new DWORD entry named:  RSAKeyUsageForLocalAnchorsEnabled

    3.Set the value to:  0x00000000 (0)

    Note:  Create the above registry location if it does not already exist.

    The appropriate solution is for the server certificate to be re-issued with the correct keyUsage bits set.

    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread. Regards, Jinxin

    5 people found this answer helpful.
  2. Daniel Ströher 0 Reputation points
    2024-03-12T13:28:13.44+00:00

    While Jinxin Wang does provide a functioning workaround, I suggest creating a proper certificate.

    I suppose you created the certificate via IIS Manager. This will only set one key usage flag: "Key Encipherment".

    Instead, you should create a proper, certificate using PowerShell and a key usage flag of "Digital Signature".

    Google states the reason behind that decision here:

    https://chromeenterprise.google/policies/#RSAKeyUsageForLocalAnchorsEnabled

    Connections which fail this check will fail with the error ERR_SSL_KEY_USAGE_INCOMPATIBLE. Sites which fail with this error likely have a misconfigured certificate. Modern ECDHE_RSA cipher suites use the "digitalSignature" key usage option, while legacy RSA decryption cipher suites use the "keyEncipherment" key usage option. If unsure, adminstrators should include both in RSA certificates meant for HTTPS.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.