There is a KB article: Generating Email Alerts for Expiring Trusted Certificates
In the article, the alert message is based on the audit message which will not include the CN name of the certificate. It just shows "One or more certificate is going to expire soon".
This is difficult for the system administrator with hundreds of certificates.
Release : 9.4 CR1 and above
Component : API GATEWAY
The new solution will use /restman interface to load all the certificates, and then use look up certificate assertion + extract attributes from certificate assertion to get the expiry date.
The sample policy will list the certs expired, or going to expire in 30 days, with its CN and expire date
It can be used as policy for a service endpoint, or for a schedule task.