HI, can you renew the certificate on the root domain?
If not you can bypass it with a registry setting
https://support.microsoft.com/en-us/topic/outlook-2016-and-outlook-2013-hang-when-a-user-tries-to-create-a-profile-b808efa8-ecba-ed1a-1f8e-e3816ae35117
Outlook 2016: Exclude the root domain from Autodiscover lookup in Outlook
Important Follow the steps in this section carefully. Serious problems might occur if you modify the registry incorrectly. Before you modify it, back up the registry for restoration in case problems occur.
To prevent Outlook 2016 from using the root domain of the user's SMTP address to locate the Autodiscover service, set the ExcludeHttpsRootDomain registry subkey to a value of 1. To do this, follow these steps:
Open Registry Editor.
Locate and then click the following registry subkey:
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\Autodiscover
On the Edit menu, point to New, and then click DWORD Value.
Type ExcludeHttpsRootDomain, and then press Enter.
On the Edit menu, click Modify, type 1 in the Value data box, and then click OK.
Exit Registry Editor.
Or with a Group Policy: