关键词:IIS、自签名证书、浏览器、Google Chrome、Microsoft Edge、ERR_SSL_KEY_USAGE_INCOMPATIBLE。
一、现象
使用 Google Chrome、Microsoft Edge 等 Chrome 系浏览器访问使用自签名证书的 IIS 网站时提示 ERR_SSL_KEY_USAGE_INCOMPATIBLE
错误。
二、原因
Chrome 117 将检查用于 HTTPS 的 X.509 证书是否正确配置了密钥用法拓展,尤其是 digitalSignature
标志。如果证书没有正确配置密钥用法拓展,浏览器将会出现 ERR_SSL_KEY_USAGE_INCOMPATIBLE
错误。[1] [2] [3]
Require X.509 key usage extension for RSA certificates chaining to local roots
X.509 certificates used for HTTPS should contain a key usage extension that declares how the key in a certificate may be used. Such instructions ensure certificates are not used in an unintended context, which protects against a class of cross-protocol attacks on HTTPS and other protocols. For this to work, HTTPS clients must check that server certificates match the connection’s TLS parameters, specifically that the key usage flag for
digitalSignature
and possiblykeyEncipherment
(depending on TLS ciphers in use) are asserted when using RSA.Chrome 117 will begin enforcing that the key usage extension is set properly on RSA certificates chaining to local roots. Key usage is already required for ECDSA certificates, and for publicly trusted certificates. Enterprises can test and temporarily disable key usage enforcement using the
RSAKeyUsageForLocalAnchorsEnabled
policy (available in Chrome 116).
- Chrome 116 on Android, Chrome OS, Linux, Mac, Windows: The
RSAKeyUsageForLocalAnchorsEnabled
policy is added.- Chrome 117 on Android, Chrome OS, Linux, Mac, Windows: Chrome begins enforcing that the key usage extension is set properly on RSA certificates chaining to local roots. Key usage is already required for ECDSA certificates, and for publicly trusted certificates.
三、解决方案
更换带有 DigitalSignature
密钥用法的自签名证书。[4]
1. 登录 IIS 网站所在服务器。
2. 以管理员身份运行 Windows PowerShell。
3. 输入 New-SelfSignedCertificate -FriendlyName
。其中,将
替换为新证书的名称,如 Certificate
;将
替换为计算机名称,如 Server
。[5]
4. 以管理员身份运行 IIS 管理器,进入需要更换证书的网站主页,点击右侧操作面板下的绑定,编辑 HTTPS 类型的网站绑定,将其 SSL 证书更换为新创建的自签名证书。
参考
[1] Previous release notes - Chrome Enterprise and Education Help
[4] Solving Chrome “ERR_SSL_KEY_USAGE_INCOMPATIBLE” | FrameFlow
评论记录:
回复评论: