Topic
While trying to access RPA Central, customer is receiving “Access Denied” page with the attached error, ERR_SSL_KEY_USAGE_INCOMPATIBLE. This occurs in both Edge and Chrome.
The information in this article was obtained from this link, in the more comments sections:
https://support.google.com/chrome/thread/239508594?hl=en&msgid=245019115
This error is due to a permanent change to the browsers that happened when they were updated recently. The registry key below will resolve the issue temporarily, but see the Google link at the bottom of this article to permanently resolve this error message.
Root Cause and Solution
The root cause of this issue is a Chrome Variation, which you can read more about in the Chrome release notes for versions 115, 116, and 117, available to read in Google's previous release notes.
Search the notes for "Require X.509 key usage extension for RSA certificates chaining to local roots" to read the blurb Google shared about this change.
There is no flag you can adjust to revert this variation, but Chrome has provided the policy RSAKeyUsageForLocalAnchorsEnabled to temporarily disable this variation while you update your certificates. The policy documentation mentions this blurb, which provides some additional details:
This policy is available for administrators to preview the behavior of a future release, which will enable this check by default. At that point, this policy will remain temporarily available for administrators that need more time to update.
Connections which fail this check will fail with the error ERR_SSL_KEY_USAGE_INCOMPATIBLE. Sites which fail with this error likely have a misconfigured certificate. Modern ECDHE_RSA cipher suites use the "digitalSignature" key usage option, while legacy RSA decryption cipher suites use the "keyEncipherment" key usage option. If unsure, administrators should include both in RSA certificates meant for HTTPS.
- true = Enable RSA key usage checking
- false = Disable RSA key usage checking
- not set = Use the default setting for RSA key usage checking
Please note this behavior also occurs even after updating from 118.0.5993.89 to 118.0.5993.118.
Instructions
For Chrome:
Open Registry Editor and navigate to: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
- If you do not have a folder named Google, create one.
- Right click in the space to the right and choose “New” then “Key”
- Name : Google
- Create a folder named Chrome.
- Right click in the space to the right and choose “New” then “Key”
- Name : Chrome
- Create new DWORD(32bit).
- Right click in the space to the right and choose “New” then “DWORD (32 bit)”
- Name : RSAKeyUsageForLocalAnchorsEnabled
- Go to Chrome Browser and type "Chrome://Policy" in the address bar and hit enter.
- Click reload policies.
- Go to RSAKeyUsageForLocalAnchorsEnabled should say false.
For Edge:
Open Registry Editor and navigate to: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\
- If you do not have a folder named Microsoft, create one.
- Right click in the space to the right and choose “New” then “Key”
- Name : Microsoft
- Create a folder named Edge.
- Right click in the space to the right and choose “New” then “Key”
- Name : Edge
- Create new DWORD(32bit).
- Right click in the space to the right and choose “New” then “DWORD (32 bit)”
- Name : RSAKeyUsageForLocalAnchorsEnabled
Additional Information
Please note, adding the above registry key resolves the error message temporarily, but the issue will probably appear again.
If you obtain your certificate from a certificate authority, please make sure they are adding a digital signature to the certificate as this is the new requirement for Google Chrome and Microsoft Edge.
If you use a self-signed certificate, please see the Google link below to show how to create a self-signed certificate and publish it to IIS as this is the permanent fix.
This link contained in the Support.Google.com link above was used successfully to create a new self-signed certificate:
https://documentation.ekransystem.com/view/how-to-fix-the-err_ssl_key-usage-incompatible-erro#HowCanIFixtheERR_SSL_KEY_USAGE_INCOMPATIBLEErrorinRecentVersionsofChromeBrowser?-4.ConfigureInternetinformationServices(IIS)
When running the PowerShell command in the article, you will need to change these items in the command:
- DNS Name to your FQDN.
- IP to your IP address.
- Friendly name - we changed to Nintex RPA Central, but we are not sure this matters.
- Subject to your FQDN.
Next, install this on the RPA Central machine in the personal root and on the Bot machines in the trusted root. If RPA Central is not accepting your credentials, try pasting the URL into Incognito mode for Chrome or In-private for Edge to see if credentials are accepted. If so, clear your cache and you may need to reboot especially if credentials are not accepted in regular mode.
With both types of certificates, the minimum requirements listed under number 6, in this document below still need to be met for RPA Central to accept the certificate.
https://help.nintex.com/en-US/rpa/Central/Installation.htm#Set_your_Nintex_RPA_Central_URL%C2%A0and_security_certificate
If you have any questions or if these steps do not work for you, please send an email to support@nintex.com.