topic Re: Palo Alto Login issue though GUI " ERR_SSL_KEY_USAGE_INCOMPATIBLE " (Solved) in Next-Generation Firewall Discussions

Palo Alto Login issue though GUI " ERR_SSL_KEY_USAGE_INCOMPATIBLE " (Solved)

abdul.munem — Sun, 10 Dec 2023 08:29:32 GMT

For the last few days, we have been experiencing an issue with logging in to the Palo Alto Firewall through the GUI. We are getting the below error from the browser during login.

Re: Palo Alto Login issue though GUI " ERR_SSL_KEY_USAGE_INCOMPATIBLE " (Solved)

msyeedrafiqi — Sun, 10 Dec 2023 19:22:05 GMT

It is the issue with chrome not an issue of the firewall you will be able use Microsoft Edge and Mozilla Firefox and it will work.

There is a workaround you do for chrome:

Open registry editor and go to the following path:
>HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome

> Right-click and > Add a new DWORD (32-bit) Value ,Changed the Name to RSAKeyUsageForLocalAnchorsEnabled and set the value as the default (00000000).

Close chrome and open again. You can reach out to to google through google support form for editing the key usage field and also check with your Certificate authority.

Re: Palo Alto Login issue though GUI " ERR_SSL_KEY_USAGE_INCOMPATIBLE " (Solved)

abdul.munem — Wed, 13 Dec 2023 11:14:54 GMT

This is not only for Chrome we also experienced issues with the Mozilla browser. Only MS-EDGE is working

Re: Palo Alto Login issue though GUI " ERR_SSL_KEY_USAGE_INCOMPATIBLE " (Solved)

msyeedrafiqi — Thu, 14 Dec 2023 11:00:03 GMT

oh ok, but yeah as I said the issue from these browsers for key usage field in certificates you can check on their support forms to check if there any fix version or you can follow the same work around

Re: Palo Alto Login issue though GUI " ERR_SSL_KEY_USAGE_INCOMPATIBLE " (Solved)

Kobiher — Thu, 01 Feb 2024 13:19:42 GMT

my colleague found this article in the PA knowledgebase that seems to explain and resolve the issue:

The captive portal page cannot be opened with an ERR_SSL_KEY_US... - Knowledge Base - Palo Alto Networks

welcome,

Re: Palo Alto Login issue though GUI " ERR_SSL_KEY_USAGE_INCOMPATIBLE " (Solved)

abdul.munem — Thu, 01 Feb 2024 14:48:46 GMT

This one does not apply to another browser instead of Chrome.

Re: Palo Alto Login issue though GUI " ERR_SSL_KEY_USAGE_INCOMPATIBLE " (Solved)

Dan_Morin — Fri, 01 Mar 2024 17:26:15 GMT

For at least one of our clients, we get this with Edge as well as Chrome. PAN-OS is at 10.1.10-h1 rather than 11 like Palo's KB says would be affected.
It is only with Palos that I've come across this. What gives?

Re: Palo Alto Login issue though GUI " ERR_SSL_KEY_USAGE_INCOMPATIBLE " (Solved)

Dan_Morin — Fri, 01 Mar 2024 17:27:15 GMT

Oh, but it does work with Firefox.

Re: Palo Alto Login issue though GUI " ERR_SSL_KEY_USAGE_INCOMPATIBLE " (Solved)

Kobiher — Thu, 28 Mar 2024 06:55:10 GMT

Abdul & Dan - that's because you missed an important fact - it's a change in chrome behavior but Edge uses Chromium technology (which is what - surprise ! - Chrom is based on as well, therefore they both exhibit the same issue, but as Dan later replied, doesn't happen with Firefox because they use their own engine/tech whatever,

and the solution is - configure the Captive portal certificate with key usage specified (or disable the usage of "RSAkey" in chrome/Edge

Re: Palo Alto Login issue though GUI " ERR_SSL_KEY_USAGE_INCOMPATIBLE " (Solved)

Ifixtheinternet — Mon, 06 May 2024 18:20:48 GMT

We are having this issue with both Chrome and Edge.

"configure the Captive portal certificate with key usage specified"

So, is it possible to do this with a self-signed certificate on the Palo Alto, or is it now required to issue said Certificate from a Certificate Authority? I don't see that option in the Palo Alto Certificate generation articles.

Deleting the ssl/tls service profile isn't an option for us, since we need that to enforce a minimum TLS version, which is required for PCI compliance.

Re: Palo Alto Login issue though GUI " ERR_SSL_KEY_USAGE_INCOMPATIBLE " (Solved)

Ifixtheinternet — Tue, 07 May 2024 21:47:51 GMT

Palo Alto confirmed in our support case that there is no available method to add the Key Usage extension to a self-signed certificate generated on the Palo Alto. The Certificate must be issued from a CA to add the Key Usage Extension.

Re: Palo Alto Login issue though GUI " ERR_SSL_KEY_USAGE_INCOMPATIBLE " (Solved)

BENGOOCH — Thu, 09 May 2024 14:44:05 GMT

Thank you! This worked perfectly for me. My connection to Panorama still wasn't working even after creating the registry edit suggested below. I console'd into the Panorama VM and deleted the ssl-tls-service-profile and now my connection works without issue.

Re: Palo Alto Login issue though GUI " ERR_SSL_KEY_USAGE_INCOMPATIBLE " (Solved)

bgre033 — Wed, 19 Mar 2025 10:28:06 GMT

This isn't correct, as a self-signed CA cert can generate a non-CA cert with the correct fields. This is as per step 4 of https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000XhgTCAS&lang=en_US.

4. If the issue is with a firewall/panorama self-signed CA certificate then generate a non-CA certificate, ideally one signed by the CA certificate created earlier, and attach this new certificate to the management interface. This will add the necessary fields to the 'Key Usage' section, allowing it to pass browser validation.

This resolved the issue for me with 11.1.6-h3.