We get caught out by expired VPN certs often. We should monitor that from Zabbix.

Should be easy enough to call "openssl x509 ..." on the client.crt file from the agent. Will probably trip over SELinux but otherwise it's easy enough. Not all hosts have VPN but we could use discovery for that perhaps, and then deploy it everywhere?