Is there a command that can be issued to display Which Certificates Are Expired or Are Going to Expire?

There is a MODIFY ACF2 command that can be used to display certificates that have expired and certificates that are about to expire. There is also an ACF2 utility SAFCRRPT that can be run in batch to display certificates that have already expired or certificates that will be expired in a specific number of days (see Knowledge Base Article Document ID: TEC466753)

The 'F ACF2,OMVS(CERTDATA)' MODIFY operator command can be issue from the console to display certificates that have already expired as well as certificates that are about to expire. For example:

F ACF2,OMVS(CERTDATA)                                               
ACF79464 EXPIRED CERTIFICATE DETECTED - CERTAUTH.CERT              
ACF79464 EXPIRED CERTIFICATE DETECTED - CERTAUTH.CLIENT             
ACF79464 EXPIRED CERTIFICATE DETECTED - CERTAUTH.EXPIRE             
ACF79464 EXPIRED CERTIFICATE DETECTED - CERTAUTH.NEW1               
ACF79468 Certificate CERTAUTH.TEST is expiring within 30 days   
ACF79464 EXPIRED CERTIFICATE DETECTED - LDAP.CERT                
ACF79464 EXPIRED CERTIFICATE DETECTED - LDAP.CERT1               
ACF79460 OPENEDITION MVS TABLE(S) BUILT 

Note the ACF79468 message number of days is based on the GSO OPTS CERTEXP field.

Details on the command can be found in the CA ACF2 for z/OS Systems Programmer Guide in section 'Appendix C: Console Operator Commands Summary' sub-section 'Rebuilding USS OpenEdition z/OS Cross-Reference Tables'.