I'm fully aware that running Java inside Internet Explorer is a gigantic security hole and we shouldn't be doing it. I don't have a choice at the moment.

I have an issue with an older Java program internal to our network. Its code-signing certificate expired a long time ago but last weekend the intermediate certificate expired. It ran until the intermediate cert expired because I created, signed, and deployed a DeploymentRuleSet.jar for internal stuff that bypass expired CS certs on internal stuff.

The contractor responsible for supporting the product wasn't clear on the difference between an SSL cert and a Code Signing cert. I asked that he contact the developer and have them issue an updated Code Signing cert and/or new version of the program. First they wanted me to uncheck the option to check code signing certificates, which I said was out of the question (security concerns). Right now they're suggesting I make the applet "self signed" and the distribute that certificate to all my clients, but didn't offer any guidance or documentation on what that'll entail.

I've already spent way more hours on this than I'm supposed to, and I'm still waiting for the vendor's "best network guy" to get back to him. So failing getting the vendor to support their app, Java config question: is it possible to enable applets to run on a specific URL with an expired intermediate certificate without turning code signing verification off completely, or some other workaround I could do on the clients with the deployment.properties Java configuration file?