Currently, X.509 certificates are only checked for expiration during authentication. If they are not expired at that point and the rest of the certificate is valid, authentication succeeds and the user is attached to the client's AuthorizationSession. If the certificate's expiration time passes, the client remains authorized as the user since the expiration is never re-checked after initial authentication.

After SERVER-70701, the AuthorizationSession now has the ability to expire users if an expiration time is provided in addAndAuthorizeUser(). It should be relatively straightforward to pass in the X.509 certificate's expiration time into this method so that these users can be automatically expired and forced to reauthenticate with a new certificate when the original expiration time passes.