Which action is performed when a token's certificate expires?

When a token’s certificate expires, the system should formally revoke it so its trust status is clearly updated across the PKI. Submitting a revocation request to the Registration Authority (RA) ensures the certificate is marked as revoked in the CA’s records and published in the revocation lists (CRL/OCSP). This prevents any relying party from trusting the certificate in the future, even if a clock skew or caching hiccup momentarily shows it as valid. Ignoring the expiry would leave uncertainty about the certificate’s status; notifying the user doesn’t change the certificate’s trust status in PKI infrastructure; and deactivating the PIN affects authentication factors, not the certificate’s revocation in the PKI.