Certificates are... hard
Sadly, the certificate mechanism almost guarantees failure. You have this hard check, that one second before it works fine with no notification, one second after, it is borked.
You can code around it by adding in warnings and grace periods, but you know as well as I do that they will get ignored.
One solution is what Google does, have several massive wildcard certs that expire at short intervals. This forces them to keep the certificate process active, as opposed to once every 3 years... However, creating that cert is easy if you are certificate authority. Probably quite expensive if you have to pay for one.
We stood up a private certificate authority and forced everyone to use it in the development and test area. That did amazing things for getting developers to understand certificates. But I eventually had to make a "get out of jail free" cert that I based on the Google one. Explaining certs to the people hired as testers was sometimes rather difficult.... However, it still has the benefit of everyone knowing how to install a cert and what things look like when you have a cert failure.