LabVIEW

Hello all you helpful forum-goers,

I am working with SSL certificates for the first time.  My LabVIEW application executable needs to securely transfer files from the customer to our company server.  I have programmed it to do so by adding a TLS session onto an FTP session (see the snippet code below).

The problem I'm having is that the built-in trusted certificate authorities (CAs) apparently do not include the one used by our IT department to purchase a certificate for our company server (NetworkSolutions.com). When I create a new TLS configuration and start it on the existing TCP connection to our company server, the Start TLS VI returns error -715050: Remote Host Identification Failed; Certificate Validation Failed.

My research indicates that LabVIEW uses the CAs in "C:\Program Files (x86)\National Instruments\Shared\nicurl\ca-bundle.crt" (unknown if that file is ever updated after LabVIEW installation, but my LabVIEW 2021 installation happened this year).  In addition, the "New TLS Configuration" VI includes an optional "load OS trusted CAs?" input that is True by default.  I would expect that to load any CAs that Windows trusts, but I'm not positive.

Additional research showed that it is possible to explicitly add a trusted certificate, and our IT department was able to give me 3 certificates they got from NetworkSolutions.com.  One of them is our server's certificate, and I'm guessing one of the others is the Root Certificate (with the third being an intermediate root?).  By using the Add Trusted Certificate to TLS Configuration VI, I was able to resolve the TLS Start error.  So far so good.

However, I'm not sure what to do now.

1. If I hard-code the certificate into my application, everything will work great... until that Root Certificate expires, which to my understanding happens periodically (once per year or so?), at which point it would stop connecting to our server.  For better or worse, our customers do not generally need to keep our application updated to the latest version, so I can't rely on new versions getting distributed even if we were ok with required periodic code updates for this issue.
2. If I include the file separate from the code, which makes it a lot easier to distribute updated versions of just that file when necessary, I'm concerned that it opens up a security issue, in that a malicious actor could substitute their own version of the file and thereby trick our app intro trusting the wrong server.  Is that a valid concern, or am I misunderstanding how these types of certificates work (as I said, I'm new to this).

Does anyone have any suggestions for how to make this work?  Either somehow remove the requirement to add our own trusted CA, or best practice for distributing it with our application?

Thank you in advance for your time and assistance!