certificate manager should check expiration of CAs it loads into the trust manager.
currently, libclient checks for duplicates before it adds the shipped certificates into the trustStore. It does not check for expiration date. Evaluate whether it should. (Would our shipped set be more up-to-date than the java runtime?