Yeah, but I'm not exactly reassured by choosing on of the many plugins out there- or running them all. It would be great to push for an official check.

I'm might be willing to help, but I'd need documentation about what (and how) to check, but that's basically 90% of the work. I would propose assimilating the best-looking plugin out there and expanding it every time sometime reports some broken thing that needs proactive fixing.

Any way we can help this happen?

$ ipa cert-find --validnotafter-to=$(date --date="3 years" +"%Y-%m-%d")

Actually changing "3 years" to something inferior to the margin FreeIPA starts renewing certificates should warn you that something is amiss.