Why does my SSL certificate not appear valid in old versions of Internet Explorer?

SSL certificates could only be set up on a one-per-IP address basis in the past.

While this one-to-one relationship is simpler to implement, there are a finite number of IP addresses that can be used on the internet, and they are in ever-shorter supply.

As such, one IP address per SSL is a very wasteful use of a limited resource.

That's why SNI (Service Name Indication) was developed, allowing multiple SSLs to be served from the same IP address.

We are obliged by the people who regulate the underlying internet technologies not to "waste" IP addresses, and the way Windows XP, and some older browsers, work with SSL certificates is considered wasteful.

This is why they are slowly being moved and why Windows XP is slowing down the adoption of better security standards for the Internet.

Old browsers don't support the new way

SNI is supported in all modern browsers on modern operating systems, though some people that use older browsers may find that when they visit a site with an SSL certificate on a shared IP address, they are warned it is not valid.

This is not a problem with the certificate, but a case of old technology not being able to differentiate between certificates served through one IPaddress.

Internet Explorer version 7 on Windows Vista is the oldest version of Internet Explorer that supports SNI.

Any older versions of Internet Explorer won't recognise this SSL certificates on shared IP addresses. Similarly, Internet Explorer versions 7 and 8, when run on Windows XP or older, will not recognise SNI SSLs.

The fix

In an age where software updates are readily available and can automatically be delivered to computers, there is not much reason outside of novelty to be using an old, insecure operating system or browser.

As time goes on, browsers that don't support what is becoming an integral part of internet technologies will become much fewer and further between.

Even in cases where an old operating system is being used, up to date versions of Google Chrome, amongst other browsers, can be installed, which do support SNI, allowing sites, and their SSLs, to load correctly.

  • 0 Users Found This Useful
這篇文章有幫助嗎?

相關文章

How can I test for HTTPS in a Rewrite Rule?

In order to test if a connection is being made using SSL encryption you need to use the HTTPS...

How to Generate a Certificate Signing Request - CSR in cPanel?

For obtaining a certificate from a Trusted SSL Provider, the Certificate Signing Request(CSR) is...

I have bought a secure certificate (SSL) with you, how do I know it has been installed correctly?

You need to visit your domain using "https://" at the start including the "www." part of your...

What is the set up procedure for an EV SSL Certificate?

When you first purchase an Extended Validation certificate, you will be contacted by GlobalSign...

Why is my secure site not showing the padlock in the browser?

The main reason for this is the use of a http:// link to a graphic or script inside the site...