1

I migrated my SSL websites and certificates from Apache to Nginx and from that moment all Windows XP clients does not recognize the SSL certificate (it is a wildcard certificate issued by Trustico).

The old configuration on previous Apache servers was this:

SSLEngine on
SSLCertificateFile /etc/apache2/ssl/*_mysite.com.crt
SSLCertificateKeyFile /etc/apache2/ssl/*_mysite.com.key
SSLCertificateChainFile /etc/apache2/ssl/*_mysite.com.ca-bundle

And the new configuration on Nginx servers is this:

ssl on;
ssl_certificate /etc/nginx/ssl/*_mysite.com.crt
ssl_certificate_key /etc/nginx/ssl/*_mysite.com.key;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv3:+EXP;
ssl_prefer_server_ciphers on;

Nginx does not support the SSLCertificateChainFile parameter, so I read that I need to append the *_mysite.com.ca-bundle file below the *_mysite.com.crt one.

After this, other operating system than Windows XP are working good, but Windows XP is still recognizing a wrong certificate (it returns the "certificate error" message).

I cannot solve this problem, could you help me please?

Andrew Schulman
  • 8,811
  • 21
  • 32
  • 47
Mat
  • 1,873
  • 7
  • 25
  • 41

2 Answers2

1

other operating system than Windows XP are working good, but Windows XP is still recognizing a wrong certificate..

In this case your setup requires Server Name Indication (SNI) and somewhere you have configured another certificate for clients not able to do SNI, like MSIE8 on XP.

Steffen Ullrich
  • 13,227
  • 27
  • 39
  • Thank you very much Steffen! The problem was that I weren't seeing the second certificate on the same IP address! Bye! – Mat Jun 26 '15 at 20:18
0

The problem is that IE8 and older on Windows XP does not support SNI. If you need to support users on Win XP/IE 8, each site needs its own dedicated IP address and corresponding SSL certificate.

alp42
  • 1