INetC should be using the SECURITY_FLAG_IGNORE_UNKNOWN_CA + SECURITY_FLAG_IGNORE_REVOCATION
flags on https URLs and there seems to be some kind of auth retry code in there so I'm not sure why it is not working.
There are other flags like SECURITY_FLAG_IGNORE_CERT_CN_INVALID
that it is not using, maybe you could request a new /nosecurity switch here...