I never coded on Espressif, but in other SDKs (e.g., mosquitto, mbedtls) typically this is done when you open the connection at the application layer (HTTPS, MQTTS). You pass in the cert bytes either as binary or PEM text as a char[]. Use a CA root cert(s) from your OS/browser.

EDIT: grammar and typos.