ERR_SSL_KEY_USAGE_INCOMPATIBLE error when accessing the EdgeSWG MGMT Console
search cancel

ERR_SSL_KEY_USAGE_INCOMPATIBLE error when accessing the EdgeSWG MGMT Console


Article ID: 275238


Updated On:


ProxySG Software - SGOS ISG Proxy Advanced Secure Gateway Software - ASG ASG-S200 ASG-S400 ASG-S500


When accessing the EdgeSWG WebUI the the error received is the certificate error, "ERR_SSL_KEY_USAGE_INCOMPATIBLE". 


To fix this create a proper Server certificate that doesn't have the "CA" field. 
You can generate a CSR and send to the PKI team for signing, or have the PKI team create the csr and certificate for you. 
Creating a Certificate Signing Request (CSR)
Import Certificates onto the ProxySG Appliance
The below links also discuss the issue of having the "CA" ability with this certificate:
Secure the HTTPS Management Console
Create a certificate signed by a trusted CA.
"Do not rely on the self-signed certificate provided by default. Before deploying your appliance, create a new SSL interception keyring and replace the built-in self-signed certificate with one signed by a CA conforming to your PKI and your security policy. Follow instructions in “Create a CA-Signed Certificate” in the First Steps Deployment Guide to generate a CSR and issue the appropriate certificate."
SSL Proxy Best Practices
It also appears that some browsers started introducing this check against the Basic Constraints extension for the Key Usage and if "CA=True" is present on a server certificate that this can cause an issue. 
In either case, the resolution here should be to issue an server certificate to the Proxy for accessing the MGMNT console, and not to use a certificate that has the Basic Constraints CA=True field.