RSAKeyUsageForLocalAnchorsEnabled

The X.509 key usage extension declares how the key in a certificate may be used. Such instructions ensure certificates are not used in an unintended context, which protects against a class of cross-protocol attacks on HTTPS and other protocols. For this to work, HTTPS clients must check that server certificates match the connection's TLS parameters. Starting in Google Chrome 124, this check is always enabled. Google Chrome 123 and earlier have the following behavior: If this policy is set to enabled, Google Chrome will perform this check. This helps prevent attacks where an attacker manipulates the browser into interpreting a key in ways that the certificate owner did not intend. If this policy is set to disabled, Google Chrome will skip this check in HTTPS connections that both negotiate TLS 1.2 and use an RSA certificate that chains to a local trust anchor. Examples of local trust anchors include policy-provided or user-installed root certificates. In all other cases, the check is performed independent of this policy's setting. If the policy is not configured, Google Chrome will behave as if the policy is enabled. Connections which fail this check will fail with the error ERR_SSL_KEY_USAGE_INCOMPATIBLE. Sites which fail with this error likely have a misconfigured certificate. Modern ECDHE_RSA cipher suites use the "digitalSignature" key usage option, while legacy RSA decryption cipher suites use the "keyEncipherment" key usage option. If unsure, adminstrators should include both in RSA certificates meant for HTTPS.