Thanks for the responses.

Having each user install a certificate client-side is not feasible for us, nor should it be necessary, correct?

I upgraded my Java plug-in to 1.7 (was using 1.6) and that did not help. Based on Brian's comment, that should not have mattered anyway - we're all using at least Java 1.5.

I followed the link in Brian's last paragraph, and used openssl to verify our certificates. I ran this command (after downloading the AddTrustExternalCARoot.crt file):

openssl s_client -connect blis.urmc.rochester.edu:443 -CAfile AddTrustExternalCARoot.crt

Output of that command is attached. From what I could tell, it looks like our server is configured properly - but I have to admit, I don't know how to interpret most of the output from openssl. Since we've not seen any issues or pop-ups or warnings from our browsers - just from the applet - I'm not surprised openssl seemed to think the cert chain was okay, since the browsers seem to think so as well.

Is there something else we can do to help diagnose this problem? Are we sure the applet is doing the write thing to deal with the cert chain? I notice the stack trace has httpclient classes in it - could the problem be there?

Thanks.

Andy