There is a KB article: Generating Email Alerts for Expiring Trusted Certificates
In the article, the alert message is based on the audit message which will not include the CN name of the certificate. It just shows "One or more certificate is going to expire soon".
This is difficult for the system administrator with hundreds of certificates.
Release : 9.4 CR1 and above
Component : API GATEWAY
The new solution will use /restman interface to load all the certificates, and then use look up certificate assertion + extract attributes from certificate assertion to get the expiry date.
The sample policy will list the certs expired, or going to expire in 30 days, with its CN and expire date
It can be used as policy for a service endpoint, or for a schedule task.
# curl http://localhost:8080/ccert
-------------------
CN=cert-test.sandbox.google.com,O=Google LLC,L=Mountain View,ST=California,C=US
2019-10-27T17:31:57.000Z
-------------------
-------------------
CN=tmpkey01
2020-07-10T04:20:21.000Z
-------------------
To run the policy as a scheduled task:
Only policy fragments of type "Policy-Backed Service Operation Policy Fragment;" and tag "com.l7tech.objectmodel.polback.BackgroundTask" are displayed in the schedule task policy drop down. So if policy is going to used in the scheduled task, it need to be created as a fragment with specified type and tag. Then it can be selected and scheduled to run.
https://knowledge.broadcom.com/external/article?articleId=57267