Rather pointless to compare the SSL certificate to a hash ofcourse. Why not just compare it to a copy of the certificate. No need to obfuscate and allow user to be fooled with changed hash.
Since only the keypair is cached, certificates are generated on each startup. This means they never expire (unless you run your application without any interruptions for a whole year).
But yeah, if they're leaked you just gotta re-send them to the clients. This isn't meant for large professional projects, only for stuff where the convenience outweights the pros of using a proper certificate.
One of the main reasons for the library is no need for cert authority. Why not just create a regular cert Authority certificate and put the trusted authority cert on the clients. That makes it so you almost never have to change the clients certs. Also, it's supported by standard TLS libraries and clients.