diff --git a/component/ca/config.go b/component/ca/config.go
index d56809a1..9d002db6 100644
--- a/component/ca/config.go
+++ b/component/ca/config.go
@@ -67,9 +67,6 @@ func ResetCertificate() {
 }
 
 func getCertPool() *x509.CertPool {
-	if len(trustCerts) == 0 {
-		return nil
-	}
 	if globalCertPool == nil {
 		mutex.Lock()
 		defer mutex.Unlock()
diff --git a/component/ca/fix_windows.go b/component/ca/fix_windows.go
new file mode 100644
index 00000000..00c894d8
--- /dev/null
+++ b/component/ca/fix_windows.go
@@ -0,0 +1,15 @@
+package ca
+
+import (
+	"golang.org/x/sys/windows"
+)
+
+func init() {
+	majorVersion, _, _ := windows.RtlGetNtVersionNumbers()
+	// crypto/x509: certificate validation in Windows fails to validate IP in SAN
+	// https://github.com/golang/go/issues/37176
+	// As far as I can tell this is still the case on most older versions of Windows (but seems to be fixed in 10)
+	if majorVersion < 10 && len(_CaCertificates) > 0 {
+		DisableSystemCa = true
+	}
+}