ERR_SSL_KEY_USAGE_INCOMPATIBLE Solution

Solution 1:

I solve this problem by changing keyUsage = keyEncipherment, dataEncipherment to keyUsage = nonRepudiation, digitalSignature, keyEncipherment in the section v3_req in file req.conf like acme.sh does, There's no error with chrome 75 now.

My problem might be a little different. It is ok with original configuration with tls1.2, but ERR_SSL_KEY_USAGE_INCOMPATIBLE with tls1.3.

The command to generate certification is as following.

openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout cert.key -out cert.cer -config req.conf -extensions v3_req

full content of my req.conf

[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
# C = US
# ST = California
# L = Los Angeles
# O = Internet Corporation for Assigned Names and Numbers
# OU = IT Operations
CN = home.arpa
[v3_req]
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = home.arpa
DNS.2 = *.home.arpa
IP.1 = 192.168.1.1
IP.2 = fe80::123:4567:89ab:cdef

Solution 2:

This issue is related to the value of the 'KeyUsage' parameter in the SSL config of 'v3_req'.

Removing 'KeyUsage' from the config will imply that any usage is valid for the certificate. For some reason (which I haven't yet determined) if keyusage is specified Chrome 75/76 will reject the Key for self-signed certificates over localhost.

Removing the 'KeyUsage' paramater from v3_req and regenerating the certifcate fixes the issue, hence the command posted by Tiffany will work as no KeyUsage is specified.