Additional detail about certificate expiration.
I tested to see how mirc and the server would handle this. I created a certificate set to expire in half an hour, then I logged in and added the fingerprint to my nickserv account, and then re-logged-in to confirm that would accept the cert.

Then I waited for the certificate to expire.
When the expiration time had arrived, I tried to login again, and this time I was correctly not authenticated.

However, I looked among the status window messages during the failure, and nowhere did mIRC tell me that the certificate had expired. I don't expect mIRC to refuse to use the certificate after it expires, since it's possible for servers to accept certificates after they expire the way some IRC networks have expected us to use their SSL certificates after theirs expired, however it would be great if mIRC shows us our own certificate's expiration date if the SASL cert handshake failed after we used an expired cert.

Also, having some kind of .expiration property for $sslhash would allow us to alert ourselves of a soon-coming expiration date