At the moment, we only support HTTP Basic Authentication scheme for client credential grants; we haven't yet implemented RFC 7523 [1] for the use of json web tokens as described in backend services. Per the backend services draft, only an RSA public key is being utilized for the establishment of trust, not full public key infrastructure in the form of certificates. As such, there's no "certificate expiry", at least from a client authentication perspective. For HTTP Basic Authentication, a 401 status code is codified in the OAuth 2 RFC as the appropriate response code for an invalid username/password pair, for JWT RFC 7523 defines a 400 response with a JSON payload the describes the authentication failure.
[1]:
https://tools.ietf.org/html/rfc7523