Ga naar hoofdinhoud

Solving Chrome "ERR_SSL_KEY_USAGE_INCOMPATIBLE"

Learn How to Create a New Self-Signed IIS Certificate

Google Chrome "ERR_SSL_KEY_USAGE_INCOMPATIBLE"

Google Chrome recently rolled out an update that went live for most users this morning. That update adds new security requirements that prevent it from connecting to webservers running on IIS with self-signed SSL certificates with default settings. PIM+ users who have updated Chrome today and then try to access our interface using their self-signed certificates may encounter the following error:

Alt Text

Error Message about SSL Key

This blog post shows you how to manually create a new self-signed certificate with the settings required by the new version of Chrome. If you're not yet running on IIS, you can follow the steps in our Running PIM+ on IIS resource to get started.

Solving the Chrome Error

To begin, open PowerShell and run the following command to create a new self-signed certificate. Set the DNS name to match the hostname of your PIM+ server, specify the certificate location, and make sure the KeyUsage is set to "DigitalSignature".

New-SelfSignedCertificate -FriendlyName PIM+ -DnsName PIM+ -CertStoreLocation Cert:\LocalMachine\My -KeyUsage DigitalSignature

Alt Text

Next, open IIS Manager and you should find your new self-signed certificate under "Server Certificates". To apply your changes, navigate to the "Sites" folder in the left-hand tree structure of the IIS Manager and find your website. Right-click on it and choose "Edit Bindings".

Alt Text

"Edit Bindings" Option

In the box that pops up, select your site binding and choose "Edit" from the right-hand menu.

Alt Text

Site Bindings Editor

This will open a new window. At the bottom of this window, you'll see a dropdown chooser labeled "SSL Certificate". Use this dropdown to select your certificate. Click "OK" when you're done.

Alt Text

Editing Site Binding

Now, when you go back to Chrome and refresh PIM+, you'll be met with the following message. This is because Chrome doesn't instantly recognize the new self-signed certificate that you've added.

Alt Text

Chrome Warning

To progress past this warning, click the "Advanced" button on the bottom left to reveal the link to proceed.

Alt Text

Proceeding to PIM+