The certificate was expiring, so we updated the cert and now all users that used the service before are getting prompted for having a bad certificate. It appears to be a browser cache issue, as dumping browser cache makes them re-download the web app and the problem goes away. Opening Incognito or InPrivate has the same effect.
My question is, is there a way to tell the web client itself to dump its cache on its own when it runs into this cache problem? Or are we going to have to ask everyone using the service to dump their browser cache every time we replace the certificate?
I've tried fully uninstalling and unpublishing the web client package and reinstalling. This successfully loads the new cert, but clients retain the bad cache and have to use the workaround. It's too late to resolve this issue now, as users are already impacted and being instructed on the workaround. Asking for next time.