The system can optionally generate a warning message before a certificate or a CRL expires. The amount of time before expiration is configurable via two system-wide CLI commands (certificate-expiration-warning and crl-expiration-warning). The warning messages can also be optionally repeated at a configured interval. For details of the warning messages, refer to the corresponding command descriptions.
If a configured EE certificate expires, the system does not bring down an established ipsec-tunnel/ipsec-gw down, however future certificate authentication fails.
If a CA certificate expires, the system brings the ca-profile operationally down. This does not affect established tunnels, however future certificate authentication that uses the ca-profile fails.