ESP32 TLS cert update

My company is going to use ESP32 in their devices. I have to write code that allows downloading ESP32 OTA updates from an HTTPS server. The TLS server's root certificate expires once a year. Here is my question: How can I safely download a new certificate from the server if it has expired? If the certificate expires, I lose remote control of the ESP and can't upload new files to it. For example, web browsers like Chrome or Firefox (as I understand) update their CA store, and users don't even notice it. Is it possible to achieve that functionality on the ESP32?

The only idea I have is to connect with a second website which is HTTP, not HTTPS, and download the new certificate. But I must use TLS all the time, so this solution is unacceptable. Im new in web technology and preciate ane help and tips!

Are you sure the server uses a root certificate, not some intermediate one? The difference between a browser and embedded device is that you can still update a browser with a simple offline installer no matter how out of date your current version is. With an embedded device the OTA server is the only lifeline - if device can't talk to server, it can't update. It becomes a zombie and can only be updated via cable, which is usually not feasible.

If your embedded device's OTA relies on PKI with 1-year root certificate, I'd say you're in a bad place. This requires that each and every device without exception updates their root certificate before the previous one is rotated, anyone left behind is a zombie. If you're sure you can update them all before the deadline, go ahead and do that. Pay attention to devices which don't have internet access for months (e.g. because they are sitting in a warehouse).

This is my list of solutions in order of personal preference:

1. Create an embedded PKI with root certificate valid for 50 years. Secure all web assets with an intermediate certificate (signed by the root one) - those can be rotated whenever. Every device has the 50-year root certificate and can validate any intermediate certificate regardless of how often those get rotated. Note that you can still rotate the root certificate via OTA if needed, it just happens under more controlled circumstances.
2. Otherwise create a parallel PKI with root certificate valid for 50 years. Then use this to update the OTA certificate using whatever method available to you (even sending via SMS is an option, as long as you can verify incoming stuff using your root cert). It's stupid, but you retain some backup lifeline over devices which missed their deadline.
3. Drop security and just accept that devices that missed the rotation deadline get to update their certificate without any validation.

You can replace 50 years with any number X if:

• each device in your fleet is guaranteed to get their OTA updates after X years
• you're willing to consider permanently lost all those devices not online for X years

I've struggled to find good reference material on X.509 certificates and chains (90% of google matches are shallow sales articles). I can point you to an article Illustrated X.509 Certificate and the Wikipedia page