IE Certificate Error with Signed Certificate

So, you’ve got your shiny new certificate, and your good old server. You’ve installed the certificate, chain or intermediate certificate, and all is nice and clean in FireFox, Chrome, Chromium, etc.

Then, your boss opens up his IE, and gets Certificate Error – “not issued by trusted certificate authority” and/or “issued for a different website’s address”. Of course, that’s a major pain, as IE – however bad, buggy and crappy it is – still holds majority of browsers market, as most computer users are incapable of installing a better browser.

If you’re sure that all works fine in FireFox and/or Chrome/Chromium, this might be an IE specific bug (aka “feature“) that I’ve hit recently also.
If you have several self-signed certificates on your server (who needs a signed one for private/admin sections?), and a signed certificate, IE somehow (I’m not really sure how?!) catches the first certificate with respect to the order the VirtualHost’s are defined in Apache.
If this happens to be your private site/domain with self-signed certificate, you’ll get the above error while accessing the domain with the signed certificate.

To solve this, make sure your VirtualHost definition for the site/domain with signed certificate is included before sites/domains with self-signed certificates.

To illustrate – suppose you have admin.domain.com subdomain that points to your private admin panel, with self-signed certificate. Now, you buy signed certificate for http://www.domain.com, and install as per issuer’s instructions.
If your admin.domain.com vhost definition appears ahead of the http://www.domain.com vhost, you’ll get “certificate error” in IE. If you move admin.domain.com definition after the http://www.domain.com definition, the error will go away.

Yes, it’s just another WTF?! gift from MickeySoft™.

What happens in IE when you need to have 2+ signed certificates on a single server? No idea… Don’t even wanna know.

Update (2014/03/14) – after two years I realized that this “gotcha” is because of SNI feature in Apache, that has been added just a bit before I’ve hit this problem, and IE browsers on WinXP never caught up to support it. I’m so glad IE times are over! … or are they? … 😛

One response to “IE Certificate Error with Signed Certificate

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s