How to fix the ERR_SSL_KEY_USAGE_INCOMPATIBLE Microsoft Edge?

B.Wirawat 0 Reputation points
2024-04-19T04:26:36.0866667+00:00

This is being seen when we try to go to a self-signed certificate in the latest version 124.0.2478.51 (64-bit) We get this error ERR_SSL_KEY_USAGE_INCOMPATIBLE. Is there a fix for this?

Error SSL

Microsoft Edge
Microsoft Edge
A Microsoft cross-platform web browser that provides privacy, learning, and accessibility tools.
2,138 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. ShiJieLi-MSFT 7,471 Reputation points Microsoft Vendor
    2024-04-19T08:04:33.71+00:00

    Hi @B.Wirawat,

    This is a recent change in Microsoft Edge. In essence, connections which fail this check will fail with the error ERR_SSL_KEY_USAGE_INCOMPATIBLE. Sites which fail with this error likely have a misconfigured certificate. Modern ECDHE_RSA cipher suites use the "digitalSignature" key usage option, while legacy RSA decryption cipher suites use the "keyEncipherment" key usage option. If unsure, administrators should include both in RSA certificates meant for HTTPS.

    As a workaround, you need to disable a group policy called RSAKeyUsageForLocalAnchorsEnabled to revert to previous key usage behavior:

    ==============

    Under: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Edge

    Create new DWORD entry named:  RSAKeyUsageForLocalAnchorsEnabled

    Set the value to:  0x00000000 (0)

    Note:  Create the above registry location if it does not already exist.

    ==============

    All in all, the appropriate solution is for the server certificate to be re-issued with the correct keyUsage bits set.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    Best Regards,

    Shijie Li

  2. Ansar 0 Reputation points
    2024-04-21T11:46:09.2833333+00:00

    Run the following PowerShell script as an administrator to generate a new self-signed certificate with DigitalSignature and KeyEncipherment options enabled:

    Generate a new self-signed certificate

    $cert = New-SelfSignedCertificate -DnsName "XXXX.Local" -CertStoreLocation "Cert:\LocalMachine\My" -KeyUsage DigitalSignature,KeyEncipherment -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider" -KeyLength 2048 -FriendlyName "CertificateYYY"

    Export the certificate with private key to a .pfx file

    $certPfxPath = "D:\Cert\CertificateYYY.pfx" $password = ConvertTo-SecureString -String "YourPassword" -Force -AsPlainText Export-PfxCertificate -Cert $cert -FilePath $certPfxPath -Password $password

    Export the public certificate to a .cer file

    $certCerPath = "D:\Cert\CertificateYYY.cer" Export-Certificate -Cert $cert -FilePath $certCerPath -Type CERT

    Write-Host "Certificate successfully created and exported to:" Write-Host "PFX: $certPfxPath" Write-Host "CER: $certCerPath"

    I've replaced the actual domain name with "XXXX.Local" and the actual friendly name with "CertificateYYY".

    • I've used placeholder paths for the .pfx and .cer files ("D:\Cert\CertificateYYY.pfx" and "D:\Cert\CertificateYYY.cer").
    • The password is represented as "YourPassword"
    0 comments