ERR_SSL_KEY_USAGE_INCOMPATIBLE error when running POS url in Chrome and Edge on my cloud-hosted RDP

[RethaLam]

It is now quite some time that I was not able to run POS anymore in Chrome on my Dev box which is a cloud-hosted development environment due to the newer version of Chrome not being compatible with how the self-service certificate is created in IIS manager.
We use on the cloud-hosted environments IIS-Hosted CSU. So we used the setup as given in this github document: https://github.com/zhangguanghuib/NewCommerceSDK/blob/main/Readme_Docs/IIS-Hosted-CSU.md

We are using CommerceSDK with this type of self-service certificate since last year August. Then first Chrome suddenly couldn't work with it. and up to last Friday Edge was totally fine with it. Yesterday when I want to run POS on my Dev box to test a piece of custom, it suddenly gave me the incompatible type error as well.
I did some research and apparently if one creates the certificate using PowerShell then both Chrome and Edge is fin with the certificate:

New-SelfSignedCertificate -FriendlyName ANY_CERT_NAME -DnsName YOUR_SERVER_PC_NAME -KeyUsage DigitalSignature

However the problem is that "CommerceStoreScaleUnitSetup.exe install" is not happy with a certificate created via Powershell. First of all Powershell doesn't put the certificate under the trusted root, but I got passed that error by exporting the certificate from under Personal and importing it under trusted root. But then the install fails on another step:

---

StepFailedWithException [11/31] Step Microsoft.Dynamics.Commerce.Installers.Framework.Security.ValidateCertificateStep failed with System.Security.Cryptography.CryptographicException: Invalid provider type specified.

at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer)
at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle)
at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair()
at System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 dwKeySize, CspParameters parameters, Boolean useDefaultKeySize)
at System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey()
at Microsoft.Dynamics.Commerce.Installers.Framework.Security.ValidateCertificateStep.d__5.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at Microsoft.Dynamics.Commerce.Installers.Framework.InstallerFramework.d__12.MoveNext()
18:38:34 [Error] FailureException Invalid provider type specified.

System.Security.Cryptography.CryptographicException: Invalid provider type specified.

---

I assume I'm not the only one who ran into this issue with browsers being updated and then the self-certificate used by IIS-hosted CSU on Dev environments don't work anymore.

How should this certificate now be created for IIS-hosted CSU on Dev boxes? Any help is appreciated because I cannot test any POS custom I do.

[RethaLam]

After looking at a bunch of websites and trial and error I finally got the syntax to create the self-service certificate using PowerShell in such a way that it was accepted by the CommerceStoreScaleUnitSetup.exe install.

New-SelfSignedCertificate -FriendlyName COMPUTER NAME -DnsName COMPUTER NAME -Subject "CN=COPUTER NAME" -CertStoreLocation "cert:\LocalMachine\My" -TextExtension "2.5.29.37={text}1.3.6.1.5.5.7.3.1" -KeyExportPolicy Exportable -Provider "Microsoft Enhanced RSA and AES Cryptographic Provider"
I ran only in one error when I ran the scale unit setup which I didn't get using the self-service certificate generated by IIS Manager and it is the following:

---

00:05:36 [Error] ReachableEndpointErrorCode Telemetry endpoint 'https://dc.services.visualstudio.com/' is available by using the method OPTIONS but response HTTP status code is NotFound doesn't indicate success. Please check that the AppInsights Instrumentation Key parameters, found in the configuration file, are not empty. If you cannot figure out the root cause, this validation can be skipped by specifying --SkipTelemetryCheck flag in which case the deployed instance will not send Application Insights Telemetry to Microsoft so the troubleshooting experience would be limited.

---

I assumed the configuration file it was talking about was this one: C:\Program Files\Microsoft Dynamics 365\10.0\Commerce Scale Unit\Microsoft\RetailServer\bin\Microsoft.Dynamics.Retail.RetailServer.AspNetCore.dll.config

I looked in it and the ClientAppInsights key in the Instrumentation-node was not blank.

I have no idea why it generates this error, maybe somebody can shed some light on it. Anyways, I added the skip-flag and it installed correctly and I was able to open POS in Edge without any issues.