Generate logs on two-way client authentication SSL certs expired or close to expiring?

Try this:

when CLIENTSSL_CLIENTCERT {
     Check if client provided a cert 
    if { [SSL::cert 0] eq "" }{ 
        log local0. "Client Certificate Missing" 
        reject 
    } else { 
        set subject_dn [string tolower [X509::subject [SSL::cert 0]]] 
        set expiration_dn [X509::not_valid_after [SSL::cert 0]] 

         expiration checking code 
        set expiration [clock scan $expiration_dn]

        if { [expr [clock scan "+30 days" -base [clock seconds]] >= $expiration] } {
            set difference [expr ($expiration - [clock seconds]) / 60 / 60 / 24]
            log local0. "Cert expiring ($difference days): $subject_dn"
        }
        


        log local0. "Client Certificate Received: $subject_dn --- $expiration_dn" 
        if { ( [class match $subject_dn contains progressive_cn_list] ) } { 
            Accept the client cert 
            log local0. "Client Certificate Accepted: $subject_dn [SSL::cert count]" 
        } else { 
            log local0. "Client Certificate Mismatch: $subject_dn [SSL::cert count]" 
            reject 
        } 
    } 
}