diff --git a/checkmk/custom-files/local/monitor-certificates b/checkmk/custom-files/local/monitor-certificates
new file mode 100644
index 0000000000000000000000000000000000000000..7e9be91448a2613ebdf3ae1bd8494eb26c573db2
--- /dev/null
+++ b/checkmk/custom-files/local/monitor-certificates
@@ -0,0 +1,55 @@
+#!/bin/bash
+
+# We need current time+date to check for remaining time on certificates
+NOW=$(date +%s)
+
+# WARN if less than this amount of days is left on the certificate
+CONFIG_WARN_DAYS_LEFT=30
+
+# CRIT if less than this amount of days is left on the certificate
+CONFIG_CRIT_DAYS_LEFT=14
+
+# List of folders to process *.pem files in
+# Example: CONFIG_CHECK_FOLDERS=( "/a/b/c" "/d/e/f" "/foo/bar/baz" )
+CONFIG_CHECK_FOLDERS=( "/etc/hsh-certs" )
+
+function process_folder {
+    folder="$1"
+    if [[ "" == "$folder" || ! -d "$folder" ]]; then
+        return
+    fi
+    echo "$folder"
+    pemfiles=$(find "$folder" -type f -name '*.pem')
+    for pemfile in $pemfiles; do
+        if [[ "$pemfile" =~ \.(dhparam|chain|cacert)\.pem$ ]]; then
+            continue;
+        fi
+        pem_subject=$(openssl x509 -in "$pemfile" -noout -text 2>&1 | grep 'Subject:' | tr -s ' ' | cut -d ' ' -f 3-)
+        pem_cn=$(echo $pem_subject | rev | cut -d ' ' -f 1 | rev)
+        pem_expire_date=$(openssl x509 -in "$pemfile" -noout -text 2>&1 | grep 'Not After' | tr -s ' ' | cut -d ' ' -f 5-)
+        pem_expire_timestamp=$(date -d "$pem_expire_date" +%s)
+        pem_remaining_seconds=$(($pem_expire_timestamp - $NOW))
+        pem_remaining_days=$(($pem_remaining_seconds / 86400))
+        pem_status=""
+        checkmk_status="3"
+        if [[ $pem_remaining_days -lt 1 ]]; then
+            pem_status="EXPIRED"
+            checkmk_status="2"
+        else
+            pem_status="$pem_remaining_days days remaining"
+            # Default is OK, gets overridden by WARN, then by CRIT
+            checkmk_status="0"
+            if [[ $pem_remaining_days -le CONFIG_WARN_DAYS_LEFT ]]; then
+                checkmk_status="1"
+            fi
+            if [[ $pem_remaining_days -le CONFIG_CRIT_DAYS_LEFT ]]; then
+                checkmk_status="2"
+            fi
+        fi
+        echo "$checkmk_status Certificate $pem_cn - $pem_status ($pemfile)"
+    done
+}
+
+for folder in ${CONFIG_CHECK_FOLDERS[@]}; do
+    process_folder $folder
+done
diff --git a/checkmk/debian/monitor-certificates.sls b/checkmk/debian/monitor-certificates.sls
new file mode 100644
index 0000000000000000000000000000000000000000..bb4cd4b5ef7fef683b15903eb0b1119545ac7f96
--- /dev/null
+++ b/checkmk/debian/monitor-certificates.sls
@@ -0,0 +1,7 @@
+hsh_checkmk_monitor_certificates_plugin:
+  file.managed:
+    - name: /usr/lib/check_mk_agent/local/monitor-certificates
+    - source: salt://checkmk/custom-files/local/monitor-certificates
+    - mode: 755
+    - user: root
+    - group: root