My setup that works with JRE7u40 and JRE8 is this:
I have a self-signed cert for my certificate authority (CA). This cert must be trusted by the system (e.g. add it to Java Control Panel / Security / Certificates / Signer CA, but there may be other ways to make your CA trusted).
Then I have a code publisher certificate, signed by my CA. I use this cert to sign all my code (jars).
Furthermore, if you want all permissions for your code, I suggest these MANIFEST.MF attributes as QDH minimum (since JRE7u40, if I remember):
Permissions: all-permissions
Codebase: *
Trusted-Library: true
Trusted-Only: true
First time you run such application, you will still see the security warning because runtime is unable to ensure that code signer certificate was not revoked by its CA.
However, now you have the option to permanently accept this publisher (code signer certificate), and if you do, the code signer certificate will be added to trusted publishers (Java Control Panel / Security / Certificates / Trusted Certificates) and you won't see such warning again.
If you want to avoid this step, I guess you have to setup your CA infrastructure properly to support certificate revocation verification. I assume that includes some extra attributes in your CA certificate and availability of special certificate revocation service. For intranet deployment, you may skip that.