Err ssl key usage incompatible

whoa there, pardner!

Your request has been blocked due to a network policy.

Try logging in or creating an account here to get back to browsing.

If you’re running a script or application, please register or sign in with your developer credentials here. Additionally make sure your User-Agent is not empty and is something unique and descriptive and try again. if you’re supplying an alternate User-Agent string, try changing back to default as that can sometimes result in a block.

You can read Reddit’s Terms of Service here.

if you think that we’ve incorrectly blocked you or you would like to discuss easier ways to get the data you want, please file a ticket here.

when contacting us, please include your ip address which is: 95.214.216.211 and reddit account

ERR_SSL_KEY_USAGE_INCOMPATIBLE Solution

I recently encountered the error message ERR_SSL_KEY_USAGE_INCOMPATIBLE in chrome using a self signed certificate. I spent hours trying to solve the problem before finally re-generating the certificate with:

openssl req -new -x509 -days 36500 -nodes -newkey rsa:2048 -keyout cert.key -out cert.crt -extensions v3_req 

Hope this helps someone else.
193 1 1 silver badge 5 5 bronze badges
asked Jun 23, 2019 at 9:05
431 1 1 gold badge 4 4 silver badges 4 4 bronze badges

Actually — you want to post the solution as an answer (Its perfectly fine). Might also help to say where you’re using this cert, just for completeness sake.

Jun 23, 2019 at 9:08
This helped me with a broken CUPS ssl cert with RHEL 8.
Jul 12, 2019 at 21:21

2 Answers 2

I solve this problem by changing keyUsage = keyEncipherment, dataEncipherment to keyUsage = nonRepudiation, digitalSignature, keyEncipherment in the section v3_req in file req.conf like acme.sh does, There’s no error with chrome 75 now.

My problem might be a little different. It is ok with original configuration with tls1.2, but ERR_SSL_KEY_USAGE_INCOMPATIBLE with tls1.3.

The command to generate certification is as following.

openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout cert.key -out cert.crt -config req.conf -extensions v3_req 

full content of my req.conf

[req] distinguished_name = req_distinguished_name x509_extensions = v3_req prompt = no [req_distinguished_name] # C = US # ST = California # L = Los Angeles # O = Internet Corporation for Assigned Names and Numbers # OU = IT Operations CN = home.arpa [v3_req] keyUsage = nonRepudiation, digitalSignature, keyEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1 = home.arpa DNS.2 = *.home.arpa IP.1 = 192.168.1.1 IP.2 = fe80::123:4567:89ab:cdef 

Fix err_ssl_key_usage_incompatible in 3 steps

Readers help support Windows Report. When you make a purchase using links on our site, we may earn an affiliate commission.

Read the affiliate disclosure page to find out how can you help Windows Report effortlessly and without spending any money. Read more

• SSL certificates are the most important security feature you can use to secure your website.
• If you receive an incompatible Chrome SSL key usage error, it means something is wrong with your computer’s encryption.
• The Certificate Authority might have also revoked the certificate if it had been reported as unsafe.

If you’re using Chrome, your browser may tell you that the SSL key certificate for a website is incompatible. It will then bring up an err_ssl_key_usage_incompatible error. This can happen if the site has changed its SSL certificate, which encrypts traffic between your browser and the website.

It is also possible because SSL certificates have a limited lifespan and must be renewed periodically. This can be confusing to users because they are not used to seeing this message when visiting websites.

The problem could be as simple as having an outdated version of Chrome installed on your system, or it might be something more serious such as a virus infection or other malware.

It may also occur when a certificate is not installed correctly or the computer’s firewall blocks the connection because the Chrome certificate is not trusted. Sometimes, you may be asked to verify where the certificate is from, or you will be stuck indefinitely.

Why does Chrome say err_ssl_key_usage_incompatible?

If you see this message, your web browser has detected a problem with the certificate being used by the website. There are several reasons why this might happen:

• Expired certificate – The most common reason why Chrome says your certificate is invalid is that the certificate has expired. To fix this, simply renew your certificate.
• Your computer clock is set incorrectly – Your time will determine the validity of your SSL certificate. Chrome checks whether websites’ SSL certificates are still valid by comparing them against system time; if your computer’s clock is off by too much, then all certificates will appear invalid.
• An out-of-date version of Chrome – Ensure your computer is running the latest version. If not, install an update or upgrade your device.
• Third-party extensions – If you have any third-party extensions or programs installed on your computer that might interfere with Chrome’s ability to verify the certificate, temporarily disable them and see if it helps resolve the problem.

If any of the above is the reason your SSL key is incompatible, we have some solutions you can attempt to resolve the issue.

Quick Tip:

You should run your SSL certificate through its tests on another browser that supports this validation. Because Opera One is a privacy-focused browser, we suggest testing it out on it as well.

You may handle certificates under Opera One’s Advanced settings and add them as needed. Try out Opera One for a more secure web browsing with it’s free VPN and Ad Blocker.

Opera One

Verify the integrity of your SSL certificates and browse the web in a more secure web.
Free Download Visit website

How do I fix chrome err_ssl_key_usage_incompatible?

1. Update Chrome

1. Launch your Chrome browser and click the three vertical ellipses in the top right corner.
2. Click Help, then select About Google Chrome.
3. Check if there is an update available.

2. Disable extensions

1. Navigate to your browser and in a new tab, enter the following address: chrome://extensions/
2. Disable extensions one by one until you find the culprit.

3. Use incognito mode

1. Launch your Chrome browser and click the three vertical ellipses in the top right corner.
2. Select New incognito window.

How do I update SSL in Chrome?

The SSL certificate is one of the most important components of any website. It provides a secure connection between your browser and the website you’re trying to reach.

Read more about this topic

• Chrome beefs up security with V8 Sandbox, already available in Chrome 123
• Chrome Prepares for Tracking Protection Settings launch for 3PCD at 100% rollout
• Microsoft Outlook and SharePoint are available as modules on Chrome’s New Tab page. Could Teams be next?
• Google will use Lacros to split Chrome from the ChromeOS
• Pwn2Own Vancouver 2024: Google fixes 7 security vulnerabilities, including two zero-days

Without it, your connection is not secure, and anyone who can intercept your data can see what you’re doing on the Internet.

It is why you need to update it if it is expired. Chrome’s certificate auto-update feature is enabled by default, so you shouldn’t need to change any settings. The browser will automatically download and install new certificates as they become available.

However, you can manually check for updates if you still get the error. If that still doesn’t work, uninstall and reinstall the browser and restart your PC.

You can also secure your certificate if Chrome says it’s not valid to ensure your identity is always protected.

If you have additional thoughts on this topic, feel free to leave them below in the comments section.

More about the topics: Chrome, SSL error

Claire Moraa

Windows Software Expert

Claire has a knack for solving problems and improving the quality of life for those around her. She’s driven by rationality, curiosity, and simplicity, and always eager to learn more about Microsoft’s products. With a background in teaching and reviewing, she breaks down complex topics into easily understandable articles, focusing mostly on Windows 11, errors, and software.

Claire Moraa

Windows Software Expert

With a background in teaching and reviewing, she breaks down complex topics into easily understandable articles, focusing mostly on Windows 11 errors.

Discover more

Was this page helpful?

Let us know if you managed to solve your tech problem reading this article.

We’re happy to hear that!

You can subscribe to our newsletter to stay up to date with the latest news and best deals!

Do you have a suggestion?

We know how frustrating could be to look for an universal solution.

If you have an error which is not present in the article, or if you know a better solution, please help us to improve this guide.

How Can I Fix the ERR_SSL_KEY_USAGE_INCOMPATIBLE Error in Recent Versions of Chrome Browser?

Google Chrome requires the Digital Signature parameter to be added to the certificate in recent versions of this browser (specifically 119.0.6045.160 and higher). You will see the error shown in the screenshot below, when trying to log in to the Management Tool using the Chrome browser if the Digital Signature parameter is not added to your self-signed certificate.

To fix this error, you can create a trusted self-signed certificate by following the steps below.

Table of Contents

1. Create a Trusted Self-Signed Certificate

To create a trusted self-signed certificate , do the following:

1. Run Windows PowerShell

2. Enter the following command:

New-SelfSignedCertificate — Type Custom -DnsName «server», «server.domain.local»,’192.168.0.1′ —KeyUsage « DigitalSignature»,»KeyEncipherment»,» KeyAgreement « -KeyAlgorithm RSA -KeyLength 4096 -CertStoreLocation «cert:\CurrentUser\My» -FriendlyName «EkranSelfSignedCert» -NotAfter ( Get-Date ).AddMonths(36) — Subject «EkranCA»

Where the following parameters in the command are defined as follows:

• DnsName : Specify all the names that are used for the server computer, i.e. hostname, domain name, and IP address.

• KeyLength : You can use at least a length of 2048, but some browsers will show a warning if the KeyLength is less than 4096.

• CertLocation : The place where the certificate will be stored when created (the only available options are » LocalMachine\My » or » CurrentUser\My «).

• FriendlyName : Used to specify a friendly name for the newly created certificate.

• NotAfter : Specify the expiration date for the certificate.

3. When the command is executed, you will then see the following in PowerShell:

2. Export the Trusted Self-Signed Certificate

To export the certificate , do the following:

1. Press Windows+R , and enter » mmc » in the Run window that opens, and then press Enter .

2, In the User Account Control window that opens, click Yes .

3. In the Console window, select File > Add/Remove Snap-in .

4. In the Add or Remove Snap-ins window that opens, select Certificates, and then click the Add button .

5. In the Certificates snap-in window that opens, select My user account , and then click Next .

6. Click Certificates — Current User > Personal > Certificates .

7. Right-click on your certificate, and select the All Tasks > Export option.

8. On the Welcome to the Certificate Export Wizard page, click Next .

9. On the Export Private Key page, select the Yes, export the private key option, and then click Next .

10. On the Export File Format page, select the following checkboxes, and then click Next.

• Include all certificates in the certification path if possible

• Export all extended properties

• Enable certificate privacy

11. On the Security page, enter (and confirm) a password for the certificate, and then click Next .

12. On the File to Export page, click Browse , and select the location where the certificate will be exported to, and enter a name for the certificate, and then click Next .

13. On the last page of the Certificate Export Wizard, click Finish to complete exporting the certificate.

14. In the confirmation message, click OK .

3. Add the Trusted Self-Signed Certificate to the Trusted Certificates

To add the certificate to Trusted Root Certification Authorities , do the following:

1. Open the folder where the certificate was exported to.

2. Right-click the certificate, and select the Install PFX option.

3. On the Welcome to the Certificate Import Wizard page, select Local Machine , and then click Next .

4. On the File to Import page, click Next .

5. On the Private key protection page, enter the certificate password, and then click Next .

6. On the Certificate Store page, select the Place all certificates in the following store option, and then select Trusted Root Certification Authorities , and click Next .

7. On the last page of the Certificate Import Wizard, click Finish to complete importing the certificate.

8. In the confirmation message, click OK .

4. Configure Internet information Services (IIS)

To use the certificate , do the following:

1. Open Internet information Services (IIS) Manager .

2. In the Connections pane (on the left), expand the node with the name of the target computer, and select Server Certificates (in the pane in the center) .

3. On the Server Certificates page, click Import (in the Actions pane on the right) .

4. in the Import Certificate pop-up window that opens, s elect your certificate, and enter its password, and then click OK .

5. In the Connections pane (on the left), expand the node with the name of the target computer, and then expand the Sites node underneath it, and select Default Web Site to open the Default Web Site Home pane (in the center).

6. In the Actions pane (on the right), click Bindings to open the Site Bindings window.

7. Double-click on the https record.

8. In the Edit Site Binding window that opens, check that the Type is https , and select your newly imported EkranSelfCert certificate in the SSL certificate field.

9. In the Site Bindings window, click Close , and Internet Information Services is then fully configured.

10. Restart the Chrome browser, and you should then be able to open the Management Tool.