Enabling Always Use HTTPS to Access Extender breaks connectivity

Question

Hello - Tried to enable "Always Use HTTPS to Access Extender" for Web Services Management however once enabled, I can no longer connect to extender. Running Windows 10 Pro, build 19045.3930 with latest version of Chrome, Version 120.0.6099.225 (Official Build) (64-bit).

The error messages is as follows:
This site can’t be reached. The webpage at https://mywifiext/ might be temporarily down or it may have moved permanently to a new web address.
ERR_SSL_KEY_USAGE_INCOMPATIBLE

Appears to be a possible certificate issue. Is yet another subscription service necessary for this feature to work?
Any assistance would be appreciated.

schumaku · Answer

Yes, it's a nifty issue with the certificate usage bits, for example on the self-signed certificates in use. Explained in depth here.

vpollinzi · Answer

Thanks for your feedback! I suppose the developer/programmer that added the option didn't understand the ramifications of maintaining certificates. Disabling RSA key usage in chrome doesn't buy me any more security than what I have with http protocol, (chrome --force-fieldtrials=RSAKeyUsageForLocalAnchors/DisabledLaunch).

An encrypted connection to management console would have been nice though. Guess I'll have to rely on strong password. Thanks again.

schumaku · Answer

vpollinzi&nbsp;wrote:
I suppose the developer/programmer that added the option didn't understand the ramifications of maintaining certificates. Disabling RSA key usage in chrome doesn't buy me any more security than what I have with http protocol, (chrome --force-fieldtrials=RSAKeyUsageForLocalAnchors/DisabledLaunch).

That's not the case. For once one of the browser makers again run ahead for something the industry - and even more consumer devices and infrastructures - can't cope with (like fully featured DNS infrastructures, to allow complete https deployment. This does not abandon any https security. Many more vendors are affected by this wonderful rush forward. The browser will just not look for the keyUsage bits like digitalSignature -and-&nbsp;keyEncipherment which does typically not exist on any self-signed and many CA signed certificates. It won't abandon the basic encryption. The browser simply error-out and won't continue in case the keyEncipherment bit is not set.

vpollinzi · Answer

Thanks for follow-up and elaborating on full scope of the problem. I found instructions on Windows registry modifications for workaround here:&nbsp;https://community.netgear.com/t5/Orbi-Pro-WiFi-for-Small-Business/SSL-error/m-p/2347112&nbsp;Specifically, create this key in the registry:&nbsp;[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Google\Chrome]"RSAKeyUsageForLocalAnchorsEnabled"=dword:00000000&nbsp;Not sure if I'm going to bother with it or not but good to know I can enable the feature.

Forum Discussion

Enabling Always Use HTTPS to Access Extender breaks connectivity

4 Replies