Perhaps this issue can't occur after 9.4.4, but just in case it may... is there any chance to create a visible alarm in Oneclick to remind the administrator that this issue exists and needs to be dealt with by a certain date?
This issue will happen again in march 2019. I think that what is needed is not so much an alarm, but a Patch provided by CA in due time, it means at least one month before the expiration date of the certificate. I would say even 2 months is more reasonable, because, here, I am the only Spectrum admin. I may be absent to up to 3 weeks, and I need time to test the patch and to deploy it.
A patch in due time goes without say, but not every Spectrum admin checks out the latest notices on the CA website. A nice big major/critical alarm in Oneclick which tells you that you should be aware that this will happen if not handled, will ensure they will check with CA about the ramifications well ahead of time.
Retrieving data ...