关键词：IIS、自签名证书、浏览器、Google Chrome、Microsoft Edge、ERR_SSL_KEY_USAGE_INCOMPATIBLE。

一、现象

使用 Google Chrome、Microsoft Edge 等 Chrome 系浏览器访问使用自签名证书的 IIS 网站时提示 ERR_SSL_KEY_USAGE_INCOMPATIBLE 错误。

二、原因

Chrome 117 将检查用于 HTTPS 的 X.509 证书是否正确配置了密钥用法拓展，尤其是 digitalSignature 标志。如果证书没有正确配置密钥用法拓展，浏览器将会出现 ERR_SSL_KEY_USAGE_INCOMPATIBLE 错误。[1] [2] [3]

Require X.509 key usage extension for RSA certificates chaining to local roots

X.509 certificates used for HTTPS should contain a key usage extension that declares how the key in a certificate may be used. Such instructions ensure certificates are not used in an unintended context, which protects against a class of cross-protocol attacks on HTTPS and other protocols. For this to work, HTTPS clients must check that server certificates match the connection’s TLS parameters, specifically that the key usage flag for digitalSignature and possibly keyEncipherment (depending on TLS ciphers in use) are asserted when using RSA.

Chrome 117 will begin enforcing that the key usage extension is set properly on RSA certificates chaining to local roots. Key usage is already required for ECDSA certificates, and for publicly trusted certificates. Enterprises can test and temporarily disable key usage enforcement using the RSAKeyUsageForLocalAnchorsEnabled policy (available in Chrome 116).

• Chrome 116 on Android, Chrome OS, Linux, Mac, Windows: The RSAKeyUsageForLocalAnchorsEnabled policy is added.
• Chrome 117 on Android, Chrome OS, Linux, Mac, Windows: Chrome begins enforcing that the key usage extension is set properly on RSA certificates chaining to local roots. Key usage is already required for ECDSA certificates, and for publicly trusted certificates.

三、解决方案

更换带有 DigitalSignature 密钥用法的自签名证书。[4]

1. 登录 IIS 网站所在服务器。

2. 以管理员身份运行 Windows PowerShell。

3. 输入 New-SelfSignedCertificate -FriendlyName -DnsName -KeyUsage DigitalSignature,KeyEncipherment -CertStoreLocation Cert:\LocalMachine\My。其中，将 替换为新证书的名称，如 Certificate；将 替换为计算机名称，如 Server。[5]

4. 以管理员身份运行 IIS 管理器，进入需要更换证书的网站主页，点击右侧操作面板下的绑定，编辑 HTTPS 类型的网站绑定，将其 SSL 证书更换为新创建的自签名证书。

参考

[1] Previous release notes - Chrome Enterprise and Education Help

[2] ERR_SSL_KEY_USAGE_INCOMPATIBLE error in chrome (but not edge) for all google sites and some others. - Google Chrome Community

[3] ssl - ERR_SSL_KEY_USAGE_INCOMPATIBLE error Google Chrome—This site can’t be reached might be temporarily down or it may have moved permanently to a new web - Stack Overflow

[4] Solving Chrome “ERR_SSL_KEY_USAGE_INCOMPATIBLE” | FrameFlow

[5] New-SelfSignedCertificate (pki) | Microsoft Learn