The impetus for this comes from ENTMQST-2632.

The idea is to expose a metric in the broker for each certificate's notAfter time (literally the notAfter of the cert expresses as #seconds from the epoch).

Certs are reconfigurable, so it could change during runtime. The idea is that once that metric is consumed by something like Prometheus (using e.g. prometheus time query) users could set an alert for knowing when their certs would expire.

We could do this in a metric reporter too, but it would be a nice feature for Kafka itself.

It might be a little more complicated than this, since it would be nice to validate the whole cert chain, not just the end-entity certificate, but Java has APIs for that.

The above will require a KIP.