I just did a packet capture on an MR42 starting up.
It negotiated a TLS1.2 connection. The server it was talking to had a SHA-256 signature on its certificate. I couldn't verify the client certificate.
You can not replace the burned in certificates installed in Meraki kit. If you did - then they would fail to authenticate and get their configs.