Confusion on Greengrass Certificate Rotation

I have a question around certificate rotation. As you know the MQTT server in GG uses a server certificate signed by a group CA certificate. In GG documentation it is mentioned that the certificate is rotated per the setting in greengrass (7 to 30 days). But it is not clear if it is the server certificate or the group CA itself. I found some previous posts that seem to indicate that both the group CA and server cert are rotated.

However, in my testing that doesn't seem to be the case. On creation, group CA certificate seem to show an expiry date until the end of the century (2100). The expiry date on the server certificate seemed to match the duration specified in the setting, so my guess is that the setting is for server certificate and the group CA remains the same unless manually changed. However, when you change the slider to adjust the expiration time, the server certificate on GG core doesn't seem to get updated. Can someone clarify the rotation process, which certificate is it supposed to rotate and when?

Here is the ultimate issue I am trying to solve for. I have a non Greengrass aware device that connects to Greengrass core using manually configured information (since it doesn't support discovery). I am trying to determine at what interval (or on what event) is it necessary to update the CA certificate on the client so it continues to make connection to Greengrass core MQTT broker.