Hello @henryck ,
In short, if your users have only one personal certificate for authentication in VPN, you may set the "certificate_auto_renewal_threshold" parameter to 0. Refer sk75221 and sk177463. But be aware of the risk that if for some reason certificate has expired (say, user didn't connect to domain controller for long time), user will not be able to connect to VPN.
This trick might not work (we are still checking this) if some user have several personal certificates installed simultaneously (with same Subject but different Serial Numbers).