To warn me before certificates expire I wrote this little script. I hope this might be useful to someone.
If anyone knows about a more elegant method — preferably already implemented in opnsense itself — please let me know.
#!/bin/sh
# Email recipient of the warning emails.
recp=root
# List of servers
servers="firewall01 firewall02 firewall03"
nextmonth=$(TZ=GMT LC_TIME=C date '+%b.*%Y' --date='00:00 next Month')
for server in $servers; do
exp=$(ssh root@$server openssl x509 -in /var/etc/cert.pem -text -noout | grep 'Not After')
if echo $exp|grep -q $nextmonth; then
msg="${server}'s certificate is about to expire, go fix that ASAP"
echo "$msg" | mail -s "$msg" $recp
fi
done