diff --git a/usr/local/sbin/check-certs b/usr/local/sbin/check-certs
new file mode 100644
index 0000000000000000000000000000000000000000..ea80b2462b7d26fbcec488456496474d48f8bc54
--- /dev/null
+++ b/usr/local/sbin/check-certs
@@ -0,0 +1,79 @@
+#!/bin/bash
+
+# DEFAULTS
+WarnDays=60
+CritDays=30
+workdir=/usr/local/cert
+searchfile=cert.pem
+ec=0
+tmpfile=$( mktemp )
+
+function usage {
+ echo >&2
+ echo "$0 [-w <days>] [-c <days>] [-d <dir>] [-f <filename>]" >&2
+ echo >&2
+ echo "checks if enddate of certificates in location are critical." >&2
+ echo >&2
+ echo "Usage:" >&2
+ echo " -w <days> day threshold for status WARNING (exitcode=1)" >&2
+ echo " DEFAULT:$WarnDays" >&2
+ echo " -c <days> day threshold for status CRITICAL (exitcode=2)" >&2
+ echo " DEFAULT:$CritDays" >&2
+ echo " -d <dir> working directory with subdirs" >&2
+ echo " DEFAULT:$workdir" >&2
+ echo " -f <filename> filename to find" >&2
+ echo " DEFAULT:$searchfile" >&2
+ echo >&2
+ exit 3
+}
+
+# OPTIONS
+while getopts "?w:c:d:n:" opt
+do
+ case $opt in
+ w)
+ WarnDays=$OPTARG
+ ;;
+ c)
+ CritDays=$OPTARG
+ ;;
+ d)
+ workdir=$OPTARG
+ ;;
+ f)
+ searchfile=$OPTARG
+ ;;
+ \?)
+ usage
+ ;;
+ esac
+done
+
+# TABLE HEADER OUTPUT
+echo -e "enddate\t\tdays\tstatus\tfile"
+
+# WORKING CHECKS
+(
+for cert in $( find $workdir -name $searchfile )
+do
+ enddate=$(date -d "$(openssl x509 -in $cert -enddate -nocert | sed 's/notAfter=//g')" +%F)
+ let datediff=($(date -d$enddate +%s)-$(date +%s))/86400
+ if [ $datediff -gt $WarnDays ]
+ then
+ status="[OK]"
+ elif [ $datediff -gt $CritDays ]
+ then
+ status="[WARN]"
+ [ $ec -lt 1 ] && ec=1
+ else
+ status="[CRIT]"
+ [ $ec -lt 2 ] && ec=2
+ fi
+ echo -e "$enddate\t$datediff\t$status\t$cert"
+done
+echo $ec > $tmpfile
+) | sort
+
+ec=$( cat $tmpfile )
+rm $tmpfile
+exit $ec