If you're just making HTTPS requests to your own servers, you can simply include the root certificate of the CA you're using, pass it to the config when calling `esp_http_client_init` (https://docs.espressif.com/projects/esp-idf/en/latest/esp32c...) and then you probably don't have to worry about it for a long time, it will work through your regular certificate rotation.
See https://docs.espressif.com/projects/esp-idf/en/latest/esp32c...
If you need to make requests to other people's servers, there is a tool to generate and include a bundle from Mozilla, that you can update in the future as part of an OTA update (https://docs.espressif.com/projects/esp-idf/en/latest/esp32c...).