Hi CJ,
The expiration time of the CA certificate is monitored via a timer and 30 days prior to its expiration, a rollover/shadow certificate is generated to replace this certificate. For that period of time, both CA server certificates exist and the shadow certificate is available for export to other ASAs that would need to be able to validate any clients issued by the shadow certificate. Syslogs are generated within the 30 day period (717049) to report the expiration as it approaches and upon rollover (717041). If the Local CA certificate expires it should automatically renew (auto-rollover), the status of the rollover can be seen in the output of "show crypto ca server". Client certificates issued before the rollover would still be valid providing their expiration date has not passed. However if the Local CA cert is expired (and not rolled over) there is no way to validate the client cert. With rollover there shouldn't be any problems with the Local CA cert expiring, it should replace the old cert when it expires with the new one.
I hope this answers your question.
Thanks,
Vishnu Sharma