If a token's certificate is expired, the Trusted Agent will submit a revocation request to a RA office.

Certificate expiration and revocation are two different ways a certificate can be rendered untrustworthy. In PKI, expiration marks a certificate as no longer valid once its time window ends. Revocation, on the other hand, is the act of invalidating a certificate before its normal expiration, usually due to key compromise, loss, or policy violations. Because an expired certificate is already considered invalid in the trust chain, there is typically no need to submit a revocation request to the RA for that certificate. The usual steps when a token’s certificate has expired are to stop relying on it and obtain a new certificate or reissue, rather than revoking it. Some organizations may still record a revocation for bookkeeping or auditing, but standard practice treats expiration as the final invalidation, not a revocation.