Proxy has a list of CA certificates in its store.
The CA certificates that will or going to expire need to be updated.
This article explains how we manage those certificates.
We do not add certificates because they expired. We only add new certificates or replacement certificates that are added to the Microsoft Trust Program for which we follow. We rely on Microsoft due to the resources assigned to their program and their activity and deployment depth/breadth. Here is the Microsoft Trust Program if you want more details on this - https://learn.microsoft.com/en-us/security/trusted-root/release-notes.