i once built a clojure web app and used a startssl free certificate. it worked fine after i imported it into the java keystore. i was using OpenJDK under linux. were you using Oracle's java?
Yes, it was Oracle's. The problem was on the Salesforce side (as a client). They couldn't verify the chain up to the CA because it is not included in the CA bundle. Adding something on the server side doesn't help here.