You will need to write a script that extracts the cert names (hint: use grep), and then runs the appropriate openssl command (maybe again in combination with grep), to extract the expiry date. As far as I am aware there will be no easy way to do it in TMSH. But may be worth checking out contextual help (? or Tab completion), to see if the option is there. Personally I doubt it is there.

One other possibility. I created a 29, 30 and 31 day valid SSL certificate. It seems this command reports SSL certs that have 30 days to expiration:

tmsh run /sys crypto check-cert
CN=example.com,OU=one,O=one,L=one,ST=WA,C=us in file /Common/test2.crt will expire on Dec  6 22:05:11 2016 GMT
CN=example.com,OU=one,O=one,L=one,ST=WA,C=us in file /Common/test3.crt will expire on Dec  8 22:07:47 2016 GMT

Would you be able to use the command:

run /sys crypto check-cert

but add a few greps ? something like | grep 'will expire' ? I tried that and it didn't work for me.

Any thoughts ?

(tmos)list sys file ssl-cert expiration-string

run sys crypto check-cert verbose enabled

list sys crypto cert all

list sys file ssl-cert all-properties

Device Service Clustering (DSC): The BIG-IP system uses SSL certificates to establish a trust relationship between devices. In a device trust, a BIG-IP device can act as a certificate signing authority or a subordinate non-authority.

/config/ssl/ssl.crt/dtdi.crt Device Management > Device Trust > Identity The dtdi.crt is the identity certificate that is used by a device to validate its identity with another device.

/config/ssl/ssl.crt/dtca.crt Device Management > Device Trust > Local Domain The dtca.crt is the CA root certificate for the trust network.

Configuration utility: Device certificates: The BIG-IP system uses the device certificates for HTTPS connections to the Configuration utility and device-to-device communication processes.

/config/httpd/conf/ssl.crt/server.crt BIG-IP 13.0.0 and later: System > Certificate Management > Device Certificate Management > Device Certificate BIG-IP versions prior to 13.0.0: System > Device Certificates > Device Certificate The server.crt is a certificate used for HTTPS connections to the Configuration utility and device-to-device communication processes. 

Trusted device certificates: The local BIG-IP device uses trusted device certificates to authenticate certain connections from a remote BIG-IP device. For example, the big3d agent of the local BIG-IP DNS or BIG-IP LTM system uses the trusted device certificate obtained from a remote F5 device to authenticate the remote device's gtmd or iqdump requests.

/config/big3d/client.crt BIG-IP 13.0.0 and later: System > Certificate Management > Device Certificate Management > Device Trust Certificates BIG-IP versions prior to 13.0.0: System > Device Certificates > Trusted Device Certificates The local BIG-IP device uses the trusted device certificates to authenticate certain connections from a remote BIG-IP device.

Trusted server certificates: The BIG-IP GTM system uses trusted server certificates when the local BIG-IP DNS system authenticates itself to a remote F5 device. For example, the local BIG-IP DNS system uses the trusted server certificate when the BIG-IP DNS system's gtmd process or iqdump program attempts to connect to the big3d process on a remote F5 device.

/config/gtm/server.crt BIG-IP 11.5.0 and later: DNS > GSLB > Servers > Trusted Server Certificates BIG-IP versions prior to 11.5.0: Global Traffic > Servers The trusted server certificates are used when the local GTM system authenticates itself to a remote F5 device.

Client SSL profile:

https://devcentral.f5.com/s/question/0D51T00006i7kIi/identify-which-virtual-servers-are-using-a-specific-ssl-certificate

certificate /config/filestore/files_d/<partition>_d/certificate_d/ /config/filestore/files_d/Common_d/certificate_d/