Hi
I've used APIC-EM as certificate authority only 2 times. I'm more using corporate PKIs with or without ISE in the picture as SubCA.
Anyways, your routers are getting the cert using scep I believe. On APIC-EM itself, the certificate has to be renewed manually but on router side, if configured with auto-enroll, will try to renew its cert after a remaining validity time. If you configured auto-enroll 85 regenerate, this means after 85% of cert lifetime, the router will regenerate its cert. In more details, if you cert is valid for 1 year (365 days), 85% means the router will try to regenerate its cert after 310 days.
Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question