What is the best workflow for an IoT client to receive the new PEM certificate when the old one expires?
Solution 1:
As hardillb already pointed out, the device should use a CA cert to verify the server's cert. If you're on a custom PKI then the expiration of the CA cert is up to you to choose - perhaps it could stay valid for the entire projected lifetime of your devices. In such case there are no updates needed on the device side, and you can rotate the actual server certificate whenever you want (as long as it's signed by the CA).
Or, if you want to build a ghetto solution, just set the server's custom certificate to be valid for 100 years and never change it :)
If you really need to update your CA cert in devices, it's possible but not always practical (hence the suggestions for avoiding updates).
If you hardcode the cert into the firmware image, just make sure to update each and every one of them before the cert expires. If there are not many devices and you have physical access to them, perhaps you can just re-flash them. Otherwise you need to build an OTA update solution and ensure each device has completed a firmware upgrade before the cert expires. Advice on how to build OTA solutions is a rather long discussion itself, so I won't go into details. Espressif has a reasonably good client-side HTTPS OTA library. While the device side is not really complicated there's still a fair bit of work involved, especially if you want to monitor and control this process from some central location. You probably need to design and implement it yourself.
Or alternatively you could store the certificate in the device's Flash (perhaps in a NVS partition or a file system) in which case it could be updated separately from the firmware image. The update process would probably involve detecting a cert near expiry and downloading a new one - perhaps from the MQTT server itself. But it's all yours to write :)