The problem:
I'm working on a legacy project (with unreliable documentation) featuring some signed-applets, compiled with a specific jdk (1.6.0_45) that's been handed down from dev to dev along with the project.
Recently, I've had to make a minor modification on those applets, and while the newly compiled and signed version works like a charm on our company's computers, they refuse to load on the users' machines, which have stricter security rules.
The error message we're getting is the following:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
It's worth noting that, on an other server, an unmodified version of those applets runs perfectly fine, so the error is definitely on my side, not on the users'.
What could be the security rules that are blocking those applets on the users' machine? What can I do to give those applets proper clearance?
Additional info
the server that hosts the project runs an Apache and a Tomcat instance, Tomcat serving most of the website, but Apache being apparently required to serve the applets.
I've checked the Tomcat's TrustKeystore, which appears up to date with the user's private certificates. I don't know where I can perform a similar check on the Apache side of the server. I also don't know where the users' specific security rules are defined. I checked their java "security" folder, but everything in it is default.
Edit:
I've used the jarsigner utility to check the signatures on the jar, and while the ones I've updated, the ones that don't work, have valid current certificates, the ones I've left alone, that still function, have expired certificates. Would it be possible that the user is working with outdated certificates, getting an OK on the expired signatures of the old applets, but blocking on the up-to-date ones? How can I check that?