How to Fix the ERR_SSL_KEY_USAGE_INCOMPATIBLE Error? [ Multiple Ways]

1 Star2 Stars3 Stars4 Stars5 Stars (4 votes, average: 5.00 out of 5)
Loading...
ERR_SSL_KEY_USAGE_INCOMPATIBLE Error

Are you using a self-signed SSL certificate? Or have you recently updated the Google Chrome browser’s version to 119.0.6045.160 or higher? If the answer to both queries is Yes, then there is a high chance that you may be greeted by the ERR_SSL_KEY_USAGE_INCOMPATIBLE warning message.

If you are one of those users who is currently facing the ERR_SSL_KEY_USAGE_INCOMPATIBLE error and are searching the web (Internet) for methods or techniques to fix it, let me tell you – STOP the search.  You have landed on the right article. Irrespective of being a troublesome and frustrating error, there is a method or technique that can be employed to make it go away.

What is the SSL_KEY_USAGE_INCOMPATIBLE Error?

As per the newly added requirements, the Chrome browser will not be able to connect to the web servers running on IIS with self-signed SSL certs with default settings. And when Chrome browser tries to connect, the ERR_SSL_KEY_USAGE_INCOMPATIBLE warning message gets popped up.

In simple terms, the ERR_SSL_KEY_USAGE_INCOMPATIBLE is a warning message that specifies that there is a mismatch between how the self-signed SSL cert is set up (configured) on the server and how the browser (Google Chrome (119.0.6045.160 and higher) in this case) expects it to be configured.

Common Causes:

  1. Incorrect SSL Certificate Type: Utilizing a server authentication certificate for client authentication or its reverse.
  2. Outdated TLS Versions: Sites that utilize outdated TLS protocols that absentmindedly do not have browser support.
  3. Misconfigured Server Settings: Server settings don’t match the purpose of the SSL certificate.
  4. Expired or Revoked Certificates: Certificates that are invalid as they have been revoked by their issuing authority.
  5. Incomplete Certificate Chain: No intermediate certificates exist in the server’s chain.

Important Prerequisite: How to Check TLS Version?

Before tackling the issue at hand, it is important to check the TLS protocol version of the site you want to access. Here’s how you can do it:

Using Online Tools:

  1. Visit SSL Labs’ SSL Server Test (https://www.ssllabs.com/ssltest/)
  2. Enter the website’s URL and click “Submit
  3. Look for the “Protocols” section in the results to see supported TLS versions

Browser Developer Tools:

  1. Open the Website in Google Chrome
  2. Press F12 to open Developer Tools
  3. Go to the “Security” tab
  4. Look for “Protocol” under “Connection

Command Line (for Advanced Users):

  1. Open a Terminal or Command Prompt.
  2. Use OpenSSL with the following command: openssl s_client -connect example.com:443 –tls1_2
  3. Change “example.com” to the site’s domain and choose an optimal TLS version.

Understanding Results from TLS Version Testing

  1. TLS 1.0 and 1.1: These versions are seen as old and not safe. A lot of contemporary browsers have discontinued them.
  2. TLS 1.2: Currently in common use and considered protective for many purposes.
  3. TLS 1.3: This latest edition provides greater protection and faster performance. To gain the best levels of security use Tls 1.3 version.

How to Fix SSL KEY USAGE INCOMPATIBLE Error? [If you are using Self-Signed Certificate]

Follow the steps mentioned below to fix the ERR_SSL_KEY_USAGE_INCOMPATIBLE error:

Step 1: – Generate a Trusted self-signed SSL cert

Step 2: – Export the trusted self-signed SSL cert

Step 3: – Add the trusted self-signed SSL cert to the Trusted Certificates

Step 4: – Set up IIS (Internet Information Services)

Let’s explore each of these steps in detail.

Step 1: Generate a Trusted Self-signed SSL Cert

Follow the steps mentioned below to generate a trusted self-signed SSL cert:

  • Click Search, placed on the taskbar.
  • Type Windows PowerShell and press Enter.
  • The Windows PowerShell window will appear.
  • In the Windows PowerShell window, type the New-SelfSignedCertificate -Type Custom -DnsName “server”, “server.domain.local”,’192.168.0.1′ -KeyUsage “DigitalSignature”,”KeyEncipherment”,”KeyAgreement” -KeyAlgorithm RSA -KeyLength 4096 -CertStoreLocation “cert:\CurrentUser\My” -FriendlyName “EkranSelfSignedCert” -NotAfter (Get-Date).AddMonths(36) -Subject “EkranCA” command.
  • Press Enter.

In the above command, here’s what different parameters means:

  • DNS Name: Specify hostname, IP address, and domain name.
  • KeyLength: Specify the keyLenght (4096).
  • CertLocation: Specify the location were the SSL cert will be saved.
  • FiendlyName: Specify a friendly name for the newly created SSL cert.
  • NotAfter: Specify the date when the newly created SSL cert will expire. 

Step 2: Export the Trusted Self-signed SSL Certificate

Follow the steps mentioned below to export the trusted self-signed SSL cert:

  • Click Search, placed on the taskbar.
  • Type Run and press Enter.
  • The Run dialog box will appear.
  • In the Open field, type mmc, and press Enter.
  • The Console1 – [Console Root] window will appear.
  • In the Console1 – [Console Root] window, click File.
  • From the list, select Add/Remove Snap-in.
  • The Add or Remove Snap-ins window will appear.
  • In the left pane, under the Available snap-ins section, click Certificates.
  • Click the Add > button.
  • The Certificates snap-in window will appear.
  • In the Certificates snap-in window, click the radio button placed adjacent to the My user account option.
  • Click Finish.
  • In the Console1 – [Console Root] window, navigate to CertificatesCurrent User > Personal > Certificates.
  • Right-click on your certificate.
  • From the list, select All Tasks.
  • From the list, select Export.
  • The Welcome to the Certificate Export Wizard page will appear.
  • On the Welcome to the Certificate Export Wizard page, click Next.
  • The Export Private Key page will appear.
  • On The Export Private Key page, click the radio button placed in front of the Yes, export the private key option.
  • The Export File Format page will appear.
  • On the Export File Format page, check the checkboxes placed adjacent to the below options:
    • Include all certificates in the certification path if possible
    • Export all extended properties
    • Enable certificate privacy
  • Click Next.
  • The Security page will appear.
  • On the Security page, type the Password on your choice.
  • Type the same password in the Confirm Password box.
  • Click Next.
  • The File to Export page will appear.
  • On the File to Export page, enter the name of the cert.
  • Click Browse and select the location where the cert will be exported to.
  • Click Next.
  • Click Finish.
  • The confirmation dialog box will appear.
  • Click OK.

Step 3: – Add the Trusted Self-signed SSL Cert to the Trusted Certificates

Follow the steps mentioned below to add the trusted self-signed SSL cert to the Trusted Certificates:

  • Navigate to the folder where the SSL cert has been exported.
  • Open the folder that contains the certificate.
  • Right-click on the certificate.
  • From the list, select the Install PFX option.
  • The Welcome to the Certificate Import Wizard page will appear.
  • On the Welcome to the Certificate Import Wizard page, click the radio button placed adjacent to the Local Machine option.
  • Click Next.
  • The File to Import page will appear.
  • On the File to Import page, click Next
  • The Private key protection page will appear.
  • On the Private key protection page, type the password that you set in the Step 2.
  • Click Next.
  • The Certificate Store page will appear.
  • On the Certificate Store page, click the radio button placed adjacent to the Place all certificates in the following store option.
  • From the Certificate store list, select Trusted Root Certification Authorities.
  • Click Next.
  • Click Finish.
  • The confirmation dialog box will appear.
  • Click OK.

Step 4: Set up IIS (Internet Information Services)

Follow the steps mentioned below to set up the Internet Information Service:

  • Click Search, placed on the taskbar.
  • Type Internet Information Service and press Enter.
  • The Internet Information Service (IIS) Manager window will appear.
  • In the left pane, expand the node with the name of the target computer.
  • In the middle pane, under the IIS section, click Server Certificates.
  • The Server Certificates page will appear.
  • On the Server Certificates page, in the right pane, under the Actions section, click Import.
  • The Import Certificate dialog box will appear.
  • In the Import Certificate dialog box, select the certificate by clicking on the three vertical dots.
  • In the Password filed, type the password. 
  • Click OK.
  • In the Internet Information Service (IIS) Manager window, in the left pane, expand the node with the name of the target computer.
  • Expand the Site node.
  • Click the Default Web Site option.
  • In the middle pane, the Default Web Site Home page will appear.
  • In the right pane, under the Actions tab, click Bindings.
  • The Site Bindings window will appear.
  • Double-click the https record.
  • The Add Site Binding window will appear.
  • In the Add Site Binding window perform these functions:
  • Verify that the Type is selected as https.
  • From the SSL certificate list, select the newly created cert.
  • Click OK.
  • Click Close.
  • Restart the Chrome Browser.
  • Verify whether the issue persists or not.

Methods to Resolve the ERR SSL KEY USAGE INCOMPATIBLE Error in Chrome, Firefox and Edge [If Not Using Self-Signed Cert]

Update Your Browser:

Use the most recent web browser with the newest version to guarantee better TLS protocol support.

  1. For Chrome: Tap the three dots and select Help About Google Chrome.
  2. For Firefox: Press the menu icon > Support > About Firefox.
  3. For Edge: Choose the three dots and then click Help and Feedback to access Microsoft Edge.

Check Your System Time:

Incorrect time settings on your system can result in SSL certificate validation difficulties. Confirm that your date and time on your computer are reliable.

  1. On Windows: Click the clock in the taskbar to edit the date and time.
  2. On macOS: Control Panel > Date & Time

Clear Browser Cache and Cookies:

Over time browser data may interfere with the establishment of SSL connections. Delete all cache and cookies from your browser and then close it.

  1. In Chrome: Settings > Privacy and security > Clear browsing data
  2. In Firefox: In Settings navigate to Privacy & Security. From the Cookies and Site Data section click Clear Data.
  3. In Edge: Go to Privacy, search, and services, and tap Clear browsing data.

Disable Antivirus SSL Scanning:

Some antivirus software captures SSL connections resulting in this error. Shut off SSL scanning features in your antivirus tool to check if you can visit the website.

  1. Search for options like “HTTPS Scanning,” “SSL Scanning,” or “Web Shield” in your virus protection settings.
  2. Shut off these options for a moment and revisit the site.

Use a Different Network:

If you’re on a public or corporate network, try accessing the website from a different network to rule out network-specific issues.

  1. Switch from Wi-Fi to mobile data or vice versa
  2. Try accessing the site from a different location

Check for Browser Extensions:

Some browser extensions can interfere with SSL connections. Try disabling all extensions and accessing the site again.

  1. In Chrome: More tools > Extensions
  2. In Firefox: Add-ons > Extensions
  3. In Edge: Extensions

Use Private/Incognito Mode:

Access the website in your browser’s private or incognito mode to rule out issues caused by browser settings or extensions.

  1. In Chrome: Ctrl+Shift+N (Windows) or Command+Shift+N (Mac)
  2. In Firefox: Ctrl+Shift+P (Windows) or Command+Shift+P (Mac)
  3. In Edge: Ctrl+Shift+N (Windows) or Command+Shift+N (Mac)

For Website Owners: Ensuring Proper SSL Configuration

If you’re a website owner experiencing this error, consider the following steps:

Verify Certificate Usage:

Set your SSL certificate to the proper use (e.g. for server authentication.)

  1. Examine the ‘Extended Key Usage‘ part of your certificate information.
  2. Confirm that it includes “Server Authentication” (OID 1.3.6.1.5.5.7.3.1)

Update TLS Version:

Choose TLS 1.2 and employ higher versions on your web server. TLS versions including 1.0 and 1.1 are regarded as not safe.

  1. For Apache: Edit the SSL configuration file (usually ssl.conf) and add: SSLProtocol -all +TLSv1.2 +TLSv1.3
  2. For Nginx: Add to the server block in your configuration:
    ssl_protocols TLSv1.2 TLSv1.3;

Check Certificate Chain:

Ensure your web server accepts the complete and right installation of your SSL certificate chain.

  1. Use online tools like SSL Checker to verify your certificate chain.
  2. Check that all intermediate certificates appear in the right sequence.

Renew or Replace Certificate:

Obtain a new certificate if yours is either expired or incorrectly issued.

  1. Examine the ending date of your present certificate.
  2. Buy or Renew SSL Certificate as per your business needs.

Configure Proper Cipher Suites:

Your server needs to use strong and current cipher suites.

  1. For Apache, add to your SSL configuration:
    SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
  2. For Nginx, add to your server block:
    ssl_ciphers ‘EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH’;

Implement HTTP Strict Transport Security (HSTS):

By enabling HTTPS on your site’s traffic only HTTPS traffic is allowed to access the site. HSTS plays a key role.

  1. Add the following header to your server configuration:
    Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Regular Security Audits:

Carry out continuous examinations of your SSL/TLS configuration to verify your commitment to standard security guidelines.

  1. Access platforms like the SSL Labs Server Test consistently.
  2. Be aware of current SSL/TLS security advice.

Conclusion

Handling the ERR_SSL_KEY_USAGE_INCOMPATIBLE problem is important for keeping your website both safe and open to visitors.

Adhering to the guidelines in this extensive guide enables you to detect and correct this SSL-associated issue and give your users an easy-to-use browsing atmosphere. To keep ahead of possible threats, you must maintain SSL security through ongoing efforts and updates.

Looking for guidance from experts regarding SSL certificates? With a broad selection of SSL Certificates ensures your website is safe from errors related to SSL. Browse our website for our budget-friendly SSL certificates and superior support service.

Fix Not Secure Website Warning

Immediately Fix “Connection not Secure & other Browser Security Warnings with Trusted SSL Certificates.

Buy at Just $3.99/Yr
Janki Mehta

Janki Mehta

Janki Mehta is a Cyber-Security Enthusiast who constantly updates herself with new advancements in the Web/Cyber Security niche. Along with theoretical knowledge, she also implements her practical expertise in day-to-day tasks and helps others to protect themselves from threats.