Beginning with macOS Sierra 10.12.4, administrators can use a Terminal command to enable automatic renewal of certain certificates delivered as part of a device profile.
Source: Automatically renew certificates delivered via a configuration profile – Apple Support