By default the Oracle JRE uses their own 'SunX509' certificate validator. This validator does not validate the expiration of the certificate by default if the certificate is explicitly trusted. It checks that the certificate key presented matches the certificate in the trust store and if it does match, it will always accept the certificate presented even if the presented certificate is expired.
The simplest fix for this is to switch to the PKIX certificate validator. This validator will always validate the expiration date of certificates presented to QIE. The validator can be enabled by adding the following java option to QIE.
-Dssl.TrustManagerFactory.algorithm=PKIX
