Hi Mark,
On the new device, has Chrome been configured to ignore SSL errors?
I will check in the morning. Of course, getting a real cert would work too. 
2 Likes
We have the same issue we are self signed but randomly turning the scanner off and on would fix it but other times it would not
1 Like
I tested connecting to my dev box with a trusted cert from Letâs Encrypt and was able to connect to that app server without any problems. It seems that Google is getting more stringent with certificates, and it appears that itâs a trend that isnât going to let up anytime soon.
The question now is how much time to we put into getting self-signed certs working vs. updating our infrastructure? 
@pphillips, the BISCiT confluence site (Login-to-system-using-self-signed-certificate) suggests hitting the site using Chrome and accepting the certificate. The Advanced option is no longer an option when we tried that.
Same problem started happening to us too.
The issue is the SSL Certificate, the one that Epicor generates only sets the Key Usage for keyEncipherment, dataEncipherment. The recommendation is to regenerate the certificate using OpenSSL and select digitalSignature, keyCertSign, cRLSign. I would probably do all 5 just in case Epicor or Biscit validate. Not an expert in this, just following recommendations from others using self signed certificates after Chrome started doing some extra validations.
Or the other option is to get a CA signed certificate from LetsEncrypt, Sectigo, or some other and apply it to Epicor. That should also solve the problem.
For reference the Error is ERR_SSL_KEY_USAGE_INCOMPATIBLE.
2 Likes
In case itâs helpful, Clintâs post on another thread has instructions on how to generate a valid self-signed certificate via PowerShell, and if using that self-signed cert, youâd likely need to install that certificate on each device.
I used their instructions specifically because I ran into the âERR_SSL_KEY_USAGE_INCOMPATIBLE.â error when accessing Epicor via the web UI and/or REST.
And if using a trusted cert (like Letâs Encrypt), you donât have to update each device.
Yes, and that would definitely be the proper solution!
I had assumed a self-signed certificate been used, since it still has 8 years before expiring and it seems itâs already been in use for a while, but thatâs a guess. If a certificate from a certificate authority had been used (and is now no longer functioning) then it should definitely be replaced with another certificate from a CA and not a self-issued certificate (though Iâm surprised this issue would happen if the cert is from a CA).
1 Like
Out of curiosity, what MDM are you using?
1 Like
Manage Engine
1 Like
1 Like
Who do you think is in charge over here?
1 Like
Dear All, I am having the same problem. Once I reset the scanner to factory default, EKW can be used. One day later, again I am getting âIncorrect or inaccessible application server URLâ. Any idea to resolve this as I had reset my scanner more than 3 times. Appreciate anyone can help on this.
1 Like
Peter any update on this?
1 Like
This is the message we got with the incorrectly created certificate (see above). Generating a new cert using the PowerShell script created by @Chris Lorenz above fixed the issue for us. The other solution is to use a trusted cert instead of a self-signed one.
1 Like
Hi Mark, sorry I am not a technical guy. Does you mean that I need to generate a new cert in Epicor Server? Appreciate you can elaborate more in details. Thanks in advance.
1 Like
Youâll need a new cert. I canât tell which version of Kinetic that youâre on but I fairly sure that 2023.2 generates a good one and 2021.2 and earlier does not.
You can also use the PowerShell script noted in the other thread above to be sure. Do read that thread to get more details.
The weird part is after i done factory reset on the scanner, then it can be used. Not long after then again the error came. I try not to disturb Epicor server. If i generate new certificate then it will affect all client workstation. Is there any other solutions that I can perform on the scanner itself?
Hi Jose,
For customers who use self-signed certificates, a recent Chrome update now requires certificates to have a Key Usage field in the certificate.
Windows Server 2022 will have this field in their self-signed certs, whereas older Windows OSâ will not.
Please refer to section âLogin to system using self-signed certificateâ in the below article for ways to get a self-signed cert with a Key Usage field onto older Windows Server operating systems.
1 Like
Others have reported the same behavior and the only solution was the new certificate. This is a new requirement in Chrome.
1 Like