The system time can be periodically checked. If it gets valid, certificates get rechecked with the current lifetime. If certificates are invalid, associated IKE_SAs can be closed or reauthenticated.