Reporting on expired, expiring and unused certificates is needed.

Release : 16.0
Component : CA ACF2 for z/OS

Unfortunately there is no report or method to determine if a certificate is being used. 

The ACF2 SAFRPTCR report  displays the certificate hierarchy in your database. Optionally, it shows each certificate, its signing certificate, and the certificates that it has signed. You may also display all of the information provided on a CHKCERT command and LIST command. The display can be tailored so that only certificates from a particular user or key ring will be displayed. You can decide to show only certificates that are not expired, have a key in ICSF, and are currently trusted. You can also display only those certificates that will expire within 1-365 day range.

Details on the SAFRPTCR can be found in at  ACF2 SAFCRRPT - Certificate Utility