We've found solutions by looking into latest backup. What do you need is just some basic linux commands and openssl.
Filter expired Certs and move them away - name new folder properly
grep -l 'expired="true"' /home/Placeholder/Documents/Placeholder/Placeholder_Clearswift_SEG_uicfg/encryption/external/*.xml
Filter is not a SMIME Cert and move them away - name new folder properly
grep -l -L 'SMIMECertificate' /home/Placeholder/Documents/Placeholder/Placeholder_Clearswift_SEG_uicfg/encryption/external/*.xml
Storing filenames into a file yould also be useful
ls -1 > all_xml
gives out asn1 structure and stores it in binary format
openssl asn1parse -in Placeholder.xml -out Placeholder.der
convert binary into base64 encoded style
openssl x509 -inform DER -in Placeholder.DER -out Placeholder.pem
Please keep in mind that this way helps if you only need to import a few public keys. In larger deployments you may need to build a script and upload data to ESA in a single file. Or make sure you never use ESA for de/encypting mails.