How to get notification from new CA server side?

I have a lot of microcontrollers deployed in the field.
These MCUs using the current CA of my render server.
Render.com will issue a new CA to my server automatically and I must refresh this CA on my mcus somehow because if the CA will expire, my mcus can not connect to my node.js server anymore.

Is there a notification system about the new CA for my server?
Can my node.js server get the new CA before it is issued?
Can my server function with the old CA while it got a new one so my mcus can still connect to it before they refresh their copy?
Is there any other way?
Can i supply my own CA instead of relying on render.com?

Since this customer already contacted us internally, there are additional details that I will not be the one to disclose publicly. Instead I want to take the opportunity to point out general guidance related to this topic:

First, we are not discussing CAs (Certificate Authorities), we are discussing signed certificates. They’re called any one of many things; certificates, leaf certificates, host certificates, server certificates, etc. But a Certificate Authority is specifically a signing authority that signs certificates in response to a request.

Certificates for Custom Domains are valid for 90 days at a time, but can be renewed any time after 60 days, and frequently are renewed on that 60th day. If you have a certificate that is less than 10-15 days from expiration, something has gone wrong, please contact us privately for support if you are unable to determine the problem.

Certificates for your custom domain(s) as of this writing are either signed by Google Trust Services, or Let’s Encrypt, and additionally, two Let’s Encrypt certificates are obtained that have different CAs, so 3 total CAs must be considered here. It is worth reviewing documentation if you’re reading this more than a few months after it was posted. This is explained by Custom Domains | Render Docs

The answer to all of this customer’s questions were “no”;

  • The certificate process is handled externally to us, and depends on an external provider, thus we cannot make any guarantees about when it’s handled.
  • It is fully automated, we do not currently have a mechanism to “hold” a renewed certificate before installing it.
  • It is not possible to manually obtain and provide/manage your own custom domain certificates on Render. It is possible if your Custom Domain uses some other service in front of Render (a proxy, CDN, etc.) but this is an uncommon case, and requires additional setup and management on your part that Render will not provide support for. We (Render) leverage automatic certificate management, full stop.

Fully fledged OS running systems don’t have this issue as OSes, browsers, and SSL libraries all provide a “trusted roots” distribution within their software. Windows, Linux distributions, and macOS all have system roots, Google includes their own as part of the Chrome installation, etc. But a Microcontroller typically has just enough software to do exactly what you want and nothing further. It is then the responsibility of the developer to obtain relevant CA root(s) and configure them in the trust store of the microcontroller as necessary, which will depend entirely on whatever library/code/etc. is used for TLS negotiation in order to accomplish the HTTPS connection. Render is not able to provide Microcontroller development support.