@Mike Paranich, Thanks for posting in Q&A. To renewal of "Enrollment Agent" certificate used by NDES, you can try the steps in the following link:
To renew NDES server certificate, you can go to the computer certificate store console in MM on NDES server, find the certificate, right click it to renew it.
Meanwhile, for the certificate valid period, it depends on the "validity period" configured on the certificate template. You can check to see if the "validity period" is 10 years.
Based on my checking the two specific templates – CEP Encryption and Exchange Enrollment Agent (Offline request). Both templates are V1 templates and therefore cannot be modified. The "validity period" is 2 years by default. However, as they may not meet your requirements, you can enroll new certificates based on customized templates and clean out the certificates installed during installation. Here is a link with more details for your reference.
Hope the above information can help.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.