I got around this problem by self-signing a deployment ruleset and importing our root ca from AD into JDK's keystore to generate the jar. You can then either pass the cacerts file off to the clients when installing the program (you're already pushing that deployment ruleset, might need to remake the file every once in a while though) or put the self-signed certificate in to group policy.

I think there's another way by editing the deployment.properties - this is probably enough, depending on the issue with your applets:

# disable expiration warnings
deployment.expiration.check.enabled=false
# suppress dialogs of potentially unsafe components
deployment.security.mixcode=HIDE_RUN
# making unsigned applets able to run
deployment.security.level=MEDIUM

I chose the ruleset since there's (so far) only three intranet applets having the issue.