How can an SSL certificate work for some clients only?
Solution 1:
The certificate chain of your certificate is incomplete. Most likely your provider failed to install some intermediate certificate when installing the new certificate.
Most times such intermediate certificates are provided by the SSL authority, to provide support for some older browsers and operating systems. That's the reason, that while it works for you, it doesn't work for some of your clients.
An really great utility to check for SSL issues with your website is the SSL Server test by SSLlabs. As you can see in the link above, not only are you having a chain issue here, but also the signature algorithm used to create your cert is a weak one, your webserver is still vulnarable to the POODLE attack and still supports RC4, which is also considered unsecure ...
I don't want to say anything against your webserver provider, but in your position I would mail them, that they fix all this issues ASAP, or change to another provider ...
Solution 2:
In order for a certificate to be trusted, it must be signed by an entity that is itself trusted by your browser/OS combination, or that has in its own turn been signed by such an entity. This is usually done by one trusted root CA which signs an intermediate CA, and the intermediate CA signs your certificate. This creates a chain, like this:
- Root CA which is trusted by your computer, and signs
- Intermediate CA, which signs
- Your certificate, which is only trusted due to the chain leading back to the root CA.
The problem here is with the intermediate CA certificate. In order to make sure that everyone can validate the chain all the way back to the root CA, your provider should include the intermediate certificate in its server config. In this case, they haven't.
The reason why it works for some users is that they have the intermediate certificate in their own "trust store". In those cases, they will accept your certificate because they already trust the intermediate. But in the case where your visitors have a different OS/browser, they don't have the intermediate certificate, so they would need to get it from your webserver - and your webserver doesn't hand it out, so they have no way of verifying it.