Neil,

> I'm confused. I didn't think I should have to distribute certificates, as
> that seems to kind of go against the whole idea.

Assuming that you have a valid certificate! It's their SysAdmins fault <g>.

The AddTrust External CA Root was added to the Microsoft Root CA program in
2009. Vista and above have automatic Root CA updates (but it can be
disabled by a SysAdmin) whereas the outdated NT 5.0 Family (2000, 2003, XP)
all need to update via a file ("rootupd.exe").

In other words, the Admins have disabled root certificate updates on these
specific machines. OUCH! You would be surprised on how few Windows Admins
tinker with how CA certificates are handled on end-user systems. But
without automatic CA updates the system has a very large security hole (no
Certificate Revoking List updates, etc.).

The "new" (2009+) Comodo certificates are no longer signed by "USERTrust
CA", but "COMODO Certification Authority", later renamed to "COMODO". So
the machines definitely need a CA update. That's how certificates work. In
fact, Windows is correct in this case. The certificate is invalid on these
machines to protect the users.

Friedrich