Windows XP does not support SNI. With SNI, a TLS client such as a web browser sends the hostname as part of the TLS handshake. Without SNI, the server does not receive such a hostname, and thus does not know which certificate to use for the connection, so it falls back to your default certificate (often the first one the web server encounters when parsing its configuration). This would result in a common name mismatch on at least one of your two domains.
If you’d like to make both domains compatible with XP, you’ll either need a dedicated IP per certificate, or get a SAN certificate that covers both dev.crystalidea.com and forums.crystalidea.com. With certbot, that works by just providing two -d arguments when requesting the certificate, i.e. -d dev.crystalidea.com -d forums.crystalidea.com.