diff --git a/group_vars/metricspi/alerts.yml b/group_vars/metricspi/alerts.yml
index 03b253c..7c34c5c 100644
--- a/group_vars/metricspi/alerts.yml
+++ b/group_vars/metricspi/alerts.yml
@@ -66,3 +66,26 @@ vmalert_rules:
           something happens to the active disk, such as hardware failure, power
           surge, fire, or accidental `rm -rf`, the offline disk is only out of
           date by a few weeks.
+
+  - name: certificates
+    rules:
+    - alert: certificate will expire soon
+      expr:
+        probe_ssl_last_chain_expiry_timestamp_seconds - time() < 29 * 86400
+      annotations:
+        summary: A certificate will expire in less than 29 days
+        description: >-
+          Generally, certificates are renewed automatically, approximately 30
+          days before their expiration (NotAfter) date.  There may be a problem
+          with the certificate renewal process that prevented this certificate
+          from being renewed.
+    - alert: certificate will expire very soon
+      expr:
+        probe_ssl_last_chain_expiry_timestamp_seconds - time() < 14 * 86400
+      annotations:
+        summary: A certificate will expire in less than 14 days
+        description: >-
+          Generally, certificates are renewed automatically, approximately 30
+          days before their expiration (NotAfter) date.  There is most likely a
+          problem with the certificate renewal process that prevented this
+          certificate from being renewed.