SSL (HTTPS) connections and certificates

I've been running SSL requests from an MKR WIFI 1010 for a while using libraries ArduinoHttpClient and WiFiNINA. These are GET requests to an API at Azure (but not connected via Azure IoT Hub). This has been working fine. I got the board last year and I have not been uploading any root certificates to it, nor updated the firmware, through the WiFiNINA Firmware/Certificates uploader, while testing the requests.

But recently, these requests fail (the HTTP client gives status code -2). This is the case since I updated the firmware (currently the latest NINA firmware: 1.3.0) and added some certificates through the Firmware uploader tool. I'm quite sure my code has not changed. I've just been running some other sketches meanwhile. I don't think anything has changed on the security side of the API I'm trying to access either. I can run the requests successfully in a browser.

I will also mention that I don't think I have gone through the procedure or wizard to connect this board to Arduino IoT cloud, or to any other cloud provider. As far as I've heard, this does something to the crypto chip, so maybe this information is relevant here.

Hope to get advice on this, what might cause it to fail. I've managed to successfully run SSL requests to another domain. I had to upload certificates for that according to a guide I followed.

How do I know which certificates are currently uploaded to the device, or how do I remove one?
Do I need to add the domain I try to connect to, in the certificate uploader tool (although it worked initially without having done that)?
Or perhaps I need to go through a wizard to connect the board to Azure (which I think will lock the crypto chip)?

I got it working now by uploading the exact domain of the API I was trying to access, via the certificate uploader. I needed to include the subdomain of the domain, which is where the API is.

It also appears that to remove a certificate from the device you just remove it from the list in the tool and upload (upload a list of domains which doesn't include the domain you want to remove).

If I want to offer the device to a customer for him or her to run it against their own domain, the only option is to pre-load the device with the customer's own domain certificate, or have the customer himself/herself do it? Could this be achieved programmatically at runtime?