I use the following code to check certificate on the boot file in the EFI partition. You could simplify by using mountvol if you prefer. This is just for the active boot file - not the copy in the Windows file system (C:\Windows\Boot\Efi)

$SystemDisk = Get-Disk | Where-Object IsSystem
if ($SystemDisk)
{
    $SystemPartition = Get-Partition -DiskNumber $SystemDisk.DiskNumber -ErrorAction SilentlyContinue | Where-Object IsSystem
    if ($SystemPartition)
    {
        $params = @{
            DiskNumber = $($SystemPartition.DiskNumber)
            PartitionNumber = $($SystemPartition.PartitionNumber)
            AccessPath = 'S:'
        }
        Add-PartitionAccessPath @params -ErrorAction SilentlyContinue
        $SystemPartition = Get-Partition -DiskNumber $SystemDisk.DiskNumber -ErrorAction SilentlyContinue | Where-Object IsSystem
        if ($SystemPartition.AccessPaths -contains 'S:\') 
        {
            $bootmgrPath = Join-Path 'S:\' 'EFI\Microsoft\Boot\bootmgfw.efi'
            if (Test-Path $bootmgrPath)
            {
                try 
                {
                    $cert = [System.Security.Cryptography.X509Certificates.X509Certificate2]::CreateFromSignedFile($bootmgrPath)  
                }
                catch { }
                if ($null -ne $cert) 
                {
                    $issuerName = $cert.Issuer
                    $commonName = $issuerName.Split(',')[0].TrimStart('CN=')
                    $dateString = $cert.GetExpirationDateString()
                    $notAfter = $dateString | Get-Date -Format "yyyy-MM-dd HH:mm:ss"
                    $expiresInDays = ((Get-Date $dateString) - (Get-Date)).Days
                }
            }
            Remove-PartitionAccessPath @params -ErrorAction SilentlyContinue
        }
    }
}