Import CA for all checks, or import "valid" certificate by check
For some reason, we have certificats only valide by our internal CA Root (not validate by a CA Authority) for disable warn/fail but keep expiration feature we need one of those feature:
- import cert by service
- import ca root by account
- an interface validation to valide the actual certificate.

One important thing to note here is that having an invalid certificate does NOT prevent the expiration notifications. This is independent so you can keep an "invalid" certificate forever (updown will not notify you again about this) and still benefit from expiration warnings. This way we already kind of "tolerate" this use-case of running a non-publicly trusted certificate.
About the suggested changes, I would like to avoid the custom cert/CA UI because that's a lot of added complexity for a very small use-case among my clients. It'll generate more support also as people will wonder what this do, try to upload other certificates, it'll be annoying for self-signed certificates, etc... The UI to manually "acknowledge" that one cert should be considered valid though sounds more doable for me, I'll keep this suggestion to track the demand and will probably add this someday.