Security is the reason Domino Server require all ID files to recertify once every 2 years (that is the default, can be changed manually).
When the expiration date get close Domino is kind enough to notify the user and there is your problem...
Typically there are 3 groups of users:
Some users will actually read the message that ask them to forward it to an administrator (a one click action).
Most of them will call you and ask why they received the message.
The problem is with the other group, those who ignore it. This group cause problems since they will show up one morning (as one of my dearest users did this morning) and will be locked out of Notes with this error on screen
Server Error: Your certificate has expiredWhen you have such a user you have to use the Administrator console using this procedure: How to manually recertify an expired ID.
Now don't get me wrong. It is not that complicated and I'm not complaining but it does involve an extra step: Physically access the users client to import the new recertified ID file. While in a small shop it is not that bad, in a larger environment it is a huge pain.
How to avoid it? Educate your users, explain about this certification and hope they'll remember next time and hope they leave before the renewal date because most chances are they will not remember.