EXPIRE date is not the same as the 'Not valid after' validity date in the certificate itself. The EXPIRE date gives the security administrator the ability to specify when the profile record associating the user to the certificate expires. This date must fall in the range of the certificate's 'Not valid before' and 'Not valid after' validity dates and must be later than the CERTDATA record activation date, if one exists. Once this EXPIRE date is reached the certificate will not be returned from a R_datalib request. Note that a certificate with no EXPIRE date and a 'Not valid after' validity date that has past will be returned from a R_datalib request, it is up to the application to determine how/if the certificate will be used.