I did indeed determine this by not seeing the green lock in Firefox when accessing https://router.asus.com:8443 (but did not check the files on the router).
If the padlock was missing, then it was indeed not using the correct certificate. That scenario I haven't been able to reproduce so far on my RT-AC86U.
What I was referring to was the info shown on the DDNS page, where it shows the hostname, expiration date, etc... That info might not be accurate if AiCloud overwrote the file (which is what I mostly addressed in a recent fix, but still one scenario that I can't control - AiCloud's cert generation is in the smbdav closed source module...)