Where can I get an SSL certificate for a site that supports WinXP clients (not a SHA256 certificate)?

V

vadamlyuk2016-03-09 18:07:45

Digital certificates

vadamlyuk, 2016-03-09 18:07:45

Good afternoon,
I need a normal SSL certificate for a b2b site (it doesn't matter if it's paid or free).
Special requirement: the certificate must support WinXP clients (at least from SP3, but preferably up to SP3), since I have 25% of WinXP clients and I have no way to either refuse them or force them to upgrade the OS.
I don't have any requirements for encryption strength, since obtaining an SSL certificate is necessary for:
- supporting https in the amount that will be sufficient for Google/Yandex for higher ranking;
- support for HTTP/2 clients with modern operating systems/browsers (as far as I know, most browsers only support HTTP/2 with encryption).
As far as I know, there are two problems:
1) Clients on WindowsXP do not supportSNI - I solved this issue, I have a unique IP address for the web server
2) Clients on WindowsXP do not support SHA256 certificates - this is the essence of the question: where to get a non-SHA256 certificate?
Vadim
UPD: As far as I understand, in this case we have an unsolvable problem: new Chrome will swear at SHA1 certificates, no browsers on WinXP will work with SHA-256 certificates :-(

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

C

CityCat4, 2016-03-09
@CityCat4

They answered themselves :-) Support for modern browsers and WinXP at the same time is impossible. For the sake of you alone, no CA will change its settings :-) Only deploy a self-signed or own CA. True, all clients will have to put its root certificate. And then chrome will anonymize about the insecure certificate.

Z

Ziptar, 2016-03-10
@Ziptar

If customers really want winXP - let them install SP3, no options.
Prior to SP3, there was no support for SHA2.
However, you can try to look for a KB that can target this problem without installing the entire SP, but this is doubtful...