Browser-based Application's Page Fails to Load With: ERR_SSL_KEY_USAGE_INCOMPATIBLE

KB ID:	4534
Product:	Veeam ONE Veeam Service Provider Console
Published:	2024-02-05
Last Modified:	2024-02-06

Challenge

When attempting to load the web page for Veeam ONE Web Client or Veeam Service Provider Console using Chrome or Edge, the page fails to load with the error:

ERR_SSL_KEY_USAGE_INCOMPATIBLE

Example of Error with Veeam ONE Web Client Page

Cause

This error occurs when the certificate the site uses has KeyUsage values defined, but either the value Digital Signature or Non-Repudiation is not specified.

This may occur because the user-provided SSL certificate is missing either Digitial Signature or Non-Repudiation keyusage, or if the self-signed SSL certificate in use was reused from an older version during an upgrade.

Default "Veeam ONE Website self-signed certificate" History

In Veeam ONE 10a and older, the self-signed certificate generated by the installer was created with the following:
KeyUsage: Key Encipherment, Data Encipherment
In Veeam ONE 11, the self-signed certificate generated by the installer was created with the following:
KeyUsage: Digital Signature, Key Encipherment, Data Encipherment
Starting in Veeam ONE 11a, the self-signed certificate generated by the installer is created with:
KeyUsage: Digital Signature, Non-Repudiation, Key Encipherment, Data Encipherment

This means that if a Veeam ONE deployment was initially installed with version 11 or earlier and then upgraded to newer versions using the same self-signed certificate, the issue will occur.

Default Veeam Service Provider Console "Veeam Self-Signed Certicate" History

In Veeam Service Provider Console 5 and older, the self-signed certificate generated by the installer was created with the following:
KeyUsage: Key Encipherment, Data Encipherment
Starting in Veeam Service Provider Console 6, the self-signed certificate generated by the installer is created with:
KeyUsage: Digital Signature, Non-Repudiation, Key Encipherment, Data Encipherment

This means that if a Veeam Service Provider Console deployment was initially installed with version 5 or earlier and then upgraded to newer versions using the same self-signed certificate, the issue will occur.

Solution

To resolve this issue, either generate a new Veeam self-signed certificate or import a new certificate you've generated, and then assign the new certificate to the site within IIS Manager.

Generate a New "Veeam ONE Website self-signed certificate"

On the machine where the Veeam ONE Web Services component is installed, open an Administrative PowerShell Console and run the following PowerShell script:

^{Note: The Veeam ONE Web Services are installed on the machine that you connect to when opening the Veeam ONE Web Client.}

#Generate Self-Signed Certificate
$params = @{
    DnsName = [System.Net.Dns]::GetHostByName("").HostName, $env:COMPUTERNAME
    CertStoreLocation = "Cert:\LocalMachine\My" 
    FriendlyName = "$(Get-Date -Format 'yyMMdd') Veeam ONE Website self-signed certificate"
    Subject = 'CN=' + [System.Net.Dns]::GetHostByName("").HostName
    TextExtension = @(
        '2.5.29.37={text}1.3.6.1.5.5.7.3.1'
    )
    KeyUsage = @("DigitalSignature","NonRepudiation","KeyEncipherment","DataEncipherment")
    NotAfter = (Get-Date).AddYears(10)
}
$cert = New-SelfSignedCertificate @params

#Add the certificate to the Trusted Root Certification Authorities
$rootStore = New-Object System.Security.Cryptography.X509Certificates.X509Store('Root', 'LocalMachine')
$rootStore.Open('ReadWrite')
$rootStore.Add($cert)
$rootStore.Close()
                         

Generate a New "Veeam Self-Signed Certificate" for VSPC

On the machine where the Veeam Service Provider Console Web UI Component is installed, open an Administrative PowerShell Console and run the following PowerShell script:

^{Hint: The Web UI Component is installed on the machine that your browser was attempting to connect to.}

#Generate Self-Signed Certificate
$params = @{
    DnsName = [System.Net.Dns]::GetHostByName("").HostName, $env:COMPUTERNAME
    CertStoreLocation = "Cert:\LocalMachine\My" 
    FriendlyName = "$(Get-Date -Format 'yyMMdd') Veeam Self-Signed Certificate"
    Subject = 'CN=' + [System.Net.Dns]::GetHostByName("").HostName
    TextExtension = @(
        '2.5.29.37={text}1.3.6.1.5.5.7.3.1'
    )
    KeyUsage = @("DigitalSignature","NonRepudiation","KeyEncipherment","DataEncipherment")
    NotAfter = (Get-Date).AddYears(10)
}
$cert = New-SelfSignedCertificate @params

#Add the certificate to the Trusted Root Certification Authorities
$rootStore = New-Object System.Security.Cryptography.X509Certificates.X509Store('Root', 'LocalMachine')
$rootStore.Open('ReadWrite')
$rootStore.Add($cert)
$rootStore.Close()
                         

Assigning the New Certificate to the Site

With a new certificate imported or generated using the steps above, perform the following steps to assign that certificate to the site within IIS Manager.

Open Internet Information Service (IIS) Manager (InetMgr.exe).
Expand the node for the server's name.
Expand the Sites node.
Right-click on the entry for the product:
1. Veeam ONE Web Client = VeeamReporter
2. Veeam Service Provider Console = Veeam Availability Console Web UI
From the context menu, select Edit Bindings...

Example for Veeam ONE Web Client

Example for Veeam Service Provider Console

In the Site Bindings window, double-click the https entry.

Example for Veeam ONE Web Client

Example for Veeam Service Provider Console

Using the SSL certificate drop-down box, select the new certificate.

^{Note: The self-signed certificate generation scripts on this KB add a datestamp prefix to the new certificate's name for easy identification.}

Example for Veeam ONE Web Client

Example for Veeam Service Provider Console

After selecting the new SSL certificate, click OK to close the https site binding settings, then close the Site Bindings window with the close button.
Right-click the site, and from the Manage Website sub-menu, select Restart.

Example for Veeam ONE Web Client

Example for Veeam Service Provider Console

To submit feedback regarding this article, please click this link: Send Article Feedback
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.

Browser-based Application's Page Fails to Load With: ERR_SSL_KEY_USAGE_INCOMPATIBLE

Browser-based Application's Page Fails to Load With: ERR_SSL_KEY_USAGE_INCOMPATIBLE

Challenge

Cause

Default "Veeam ONE Website self-signed certificate" History

Default Veeam Service Provider Console "Veeam Self-Signed Certicate" History

Solution

Assigning the New Certificate to the Site

Trending Articles

Practice Sheet of Right form of verbs for HSC Students

Download: FK ft Shenky – Nakuyewa ”Prod by: Shenky”

How to win at Markstrat (Markstrat Tips and Tricks) – Vodites

Ominde Commission Report and Recommendations – Ominde Report of 1964

Bureau of Internal Revenue: Regional Offices (Directory)

GO 53 on Enhancement of Ex-gratia upto 5 Lakhs Toddy Tappers in Telangana

Cakewalk CA-2A Leveling Amplifier v2.0.1.97 WiN, v2.0.1.96 OSX Incl Keygen

Mp3 Download: Mdu - Kunjenjenjena

How the kill the job , when DTP request running for long hours.

Microsoft Intune から展開しているアプリのアップデートについて

18-year-old girl was beaten for half an hour by two Northampton men in 'an...

Car crash in Dunton Bassett leaves driver in critical condition

Macky 2, Two Others In Road Accident

Application log 00000000000000089514: Could not convert queue DLVST90CLNT

Detroit mafia: D’Anna Brothers agree to plea deal

Delivery block field greyed out using VA02

Muloraki Au

【個人撮影】スマホのプライベート映像♪「中に出さないで///」カラオケ屋での生ハメ撮りが流出ｗ【リベンジポルノ】＠PornHub

BREAKING NEWS: Diamond Platnumz Is Reported Dead After Ghastly Car Accident

FIAT 500 B0111 B0112