(This is for a new project, so I'm still considering options.)

I've got a server and client (phone app) communicating via gRPC, and now I'm looking into securing that connection. A common recommendation I see is to just use a self-signed server key, and embed the server's certificate directly within the client. This lets the app trust the server without requiring a cert download or third party CAs.

However, my understanding is that these certificates are only good for a year (per the openssl command to generate them). Wouldn't there be a problem in trying to renew the cert, when the old version is directly embedded in the client? I don't see how you could prepare the client for the new cert either, as both server and client would have to use the same cert for every request, right?

Given how often I see this method suggested, how do you get around the expiration problem?