Can I just renew CA certificate without implication for the ESP device?

[RichPiano]

I found out that mbedTLS doesn't check the expiry date of a certificate by default.

Does that mean that I can (provided I use the same private key to create the certificate) create a new self signed CA certificate (which my update server depends on) on the server side and not have to change anything on the esp (client side)?

My gut feeling says that when the public key in the new and old CA certificate stays the same, the ESP should be able to validate the webservers certificate also with an "outdated" CA certificate in store. Is this correct?