Re: I'd like to know
Assuming that their production systems had current, non-expired certificates, then the copies of the old certificates on the monitoring system wouldn't have allowed the monitoring system to actually decrypt the data, and as was pointed out above, their system was configured to fail-open, instead of fail-closed.