That implies though I don’t want valid certificates in my environment. I still want to make sure even on my private network I’m using valid certs. A lot of security departments require that too even if the device isn’t public facing.
Tell that to all the embedded device manufacturers… switches, appliances, nas, etc.
There’s a whole load of things that will have a massive administrative burden if the frequency is dropped.
There are a lot of embedded systems that do not offer API support to swap out certificates. Things like switches, dvr, nas devices, etc.
Regardless of “hard evidence” it’s still the company policy. How well does it go over if you try to say “well acktuslly…” when it comes to password changes.