Troubleshooting the error ERR_SSL_KEY_USAGE_INCOMPATIBLE in Chrome and Edge web browsers

The article provides guidance for resolving an issue where Google Chrome and Microsoft Edge web browsers are unable to establish a secure connection to VisualSVN Server over HTTPS. The issue occurs with VisualSVN Server installations utilizing a self-signed certificate generated with version 4.0.5 or earlier.

Symptoms

  • Users attempting to connect to VisualSVN Server through Google Chrome or Microsoft Edge encounter the following error message:
    ERR_SSL_KEY_USAGE_INCOMPATIBLE
  • The affected VisualSVN Server installation is using a self-signed certificate for HTTPS. The certificate was generated by VisualSVN Server 4.0.5 or an earlier version and doesn't have the Key Usage = Digital signature extension.
Note
The article focuses on the scenario when the certificate is self-signed and was generated by VisualSVN Server. However this issue may potentially occur when the certificate isn't self-signed. In that case please ensure that the current certificate has a proper Key Usage extension as described below (Key Usage = Digital signature). If necessary obtain a new certificate to resolve the issue.

Cause

Starting from version 117, Google Chrome and Microsoft Edge web browsers require a proper Key Usage extension to be present in HTTPS certificates. When modern cipher suites are used, the Key Usage extension has to include the Digital signature (digitalSignature) option. When a proper Key Usage extension is missing, the web browser refuses to establish the connection to the server.

Versions of VisualSVN Server up to 4.0.5 didn't enable a proper Key Usage extension when generating self-signed certificates. Starting from version 4.1.0, VisualSVN Server enables the required extension when generating self-signed certificates. So the issue can be resolved by installing a new certificate generated in VisualSVN Server version 4.1.0 or later.

Resolution

Please follow these steps to resolve the problem when your VisualSVN Server installation has a self-signed certificate installed:

  1. Ensure that your VisualSVN Server installation is at least at version 4.1.x.
    Note
    Although having at least version 4.1.x is sufficient to resolve the issue described in this article, we strongly recommend upgrading your VisualSVN Server to the latest available version. The version family 4.1.x has already reached End of Support. Please download the latest version from the main download page.
  2. Generate a new self-signed certificate in VisualSVN Server. See the section Running VisualSVN Server with a self-signed SSL certificate in the article KB134 for instructions.

See also

KB134: Configuring SSL Certificates for VisualSVN Server

Last Modified: