I think there is a strong argument to simply not checking certificate expiry dates in embedded hardware.
Just keep using the expired certificate forever.
Sure - that means if someone leaks the private key that everyone worldwide needs to do a firmware update to get security.
But that's probably less user harm than everyone worldwide needing to do a firmware update to replace an expired cert, and having a dead device otherwise.
1) You can't pass a PCI-DSS audit if you have expired certificates.
2) You can't always tell the CDN providers what to do with certs.
3) We've seen examples of new root certificates that mean devices don't know about things like LetsEncrypt
At the very least the user should be able to override the failing certificate check. So much "security" cargo culting is intentionally planned failure.
Just keep using the expired certificate forever.
Sure - that means if someone leaks the private key that everyone worldwide needs to do a firmware update to get security.
But that's probably less user harm than everyone worldwide needing to do a firmware update to replace an expired cert, and having a dead device otherwise.