I think you are referring to the x509 certificate for the "remote peer" that is connected to Apigee via HTTPS / TLS. There are two kinds of remote peers - the client for an inbound client call, and the remote "backend" or "upstream" system that you might connect to, via a targetendpoint.

First, some qualifying remarks.

1. Apigee presents the opportunity for you to examine the certificate, only for the inbound client call. There is no way for you to examine the certificate used by a backend system that connects via 2-way TLS.
2. Your Apigee proxy will never be able to access the certificate information for a cert that is expired. The reason is: the TLS connection will fail in the case that a peer presents an expired certificate, which means, the proxy is never activated.
3. The certificate for a client will be available only when you use mutual TLS authentication on the inbound call, in other words, on the Virtualhost. This is less common than the 1-way TLS for VirtualHosts.
4. You must configure the VirtualHost to use the PropagateTLSInformation element. (Check the documentation at the link you provided)

OK, if all of that is clear, then.... let's get to your question. Today there is no built-in way to examine the expiry of a certificate of a client. You do receive the raw certificate, which means you could de-serialize the cert and examine the expiry. If I were doing that, I'd build a Java callout to do the work. Deserializing a certificate from the raw form and extracting the expiry is relatively simple in Java. I don't have a working callout for you, but it should be not so difficult to do.