diff --git a/playbooks/groups/proxies.yml b/playbooks/groups/proxies.yml
index c835ad5cfa..20cf8f9b29 100644
--- a/playbooks/groups/proxies.yml
+++ b/playbooks/groups/proxies.yml
@@ -27,6 +27,7 @@
   - rkhunter
   - nagios_client
   - zabbix/zabbix_agent
+  - { role: zabbix/sslchecks, tags: zabbix_api }
   - collectd/base
   - sudo
   - rsyncd
diff --git a/roles/zabbix/sslchecks/sslcheck.yml b/roles/zabbix/sslchecks/sslcheck.yml
new file mode 100644
index 0000000000..93d6e1b43f
--- /dev/null
+++ b/roles/zabbix/sslchecks/sslcheck.yml
@@ -0,0 +1,74 @@
+---
+- name: Zabbix API Block
+  vars:
+    ansible_zabbix_auth_key: "{{ zabbix_auth_key }}"
+    ansible_network_os: "{{ zabbix_network_os }}"
+    ansible_connection: "{{ zabbix_connection }}"
+    ansible_httpapi_port: "{{ zabbix_httpapi_port }}"
+    ansible_httpapi_use_ssl: "{{ zabbix_httpapi_use_ssl }}"
+    ansible_httpapi_validate_certs: "{{ zabbix_httpapi_validate_certs }}"
+    ansible_host: "{{ zabbix_server }}"
+    ansible_zabbix_url_path: "{{ zabbix_url_path }}"
+  tags:
+    - zabbix_agent
+    - zabbix_api
+    - pagure
+  block:
+    - name: Create {{ item.name }} cert age item
+      community.zabbix.zabbix_item:
+        name: "{{ item.name }} SSL Certificate time remaining"
+        host_name: "{{ inventory_hostname }}"
+        params:
+          type: external_check
+          key: "zext_ssl_cert.sh[{{ item.cert }},443]"
+          value_type: numeric_unsigned
+          units: 'days'
+          timeout: '10s'
+          interval: '12h'
+          tags:
+            - tag: application
+              value: pagure
+            - tag: component
+              value: ssl
+
+    - name: Create {{ item.name }} 30day trigger
+      community.zabbix.zabbix_trigger:
+        name: "{{ item.name }} SSL Certificate expires in 30d"
+        host_name: "{{ inventory_hostname }}"
+        params:
+          severity: average
+          expression: "last(/{{ inventory_hostname }}/zext_ssl_cert.sh[{{ item.cert }},443])<30"
+          comments: "Time to renew this certificate"
+          enabled: true
+          manual_close: true
+          tags:
+            - tag: scope
+              value: availability
+
+    - name: Create {{ item.name }} 7day trigger
+      community.zabbix.zabbix_trigger:
+        name: "{{ item.name }} SSL Certificate expires in 7d"
+        host_name: "{{ inventory_hostname }}"
+        params:
+          severity: high
+          expression: "last(/{{ inventory_hostname }}/zext_ssl_cert.sh[{{ item.cert }},443])<7"
+          comments: "Renew this certificate urgently"
+          enabled: true
+          manual_close: true
+          tags:
+            - tag: scope
+              value: availability
+
+    - name: Create {{ item.name }} 0day trigger
+      community.zabbix.zabbix_trigger:
+        name: "{{ item.name }} SSL Certificate expired!"
+        host_name: "{{ inventory_hostname }}"
+        params:
+          severity: disaster
+          expression: "last(/{{ inventory_hostname }}/zext_ssl_cert.sh[{{ item.cert }},443])<1"
+          comments: "Renew this certificate now!"
+          enabled: true
+          manual_close: true
+          tags:
+            - tag: scope
+              value: availability
diff --git a/roles/zabbix/sslchecks/tasks/main.yml b/roles/zabbix/sslchecks/tasks/main.yml
new file mode 100644
index 0000000000..29768e6f0a
--- /dev/null
+++ b/roles/zabbix/sslchecks/tasks/main.yml
@@ -0,0 +1,25 @@
+---
+- name: Create SSL checks for other hosts
+  include_tasks: sslcheck.yml
+  loop:
+    - { name: '*.fedorapeople.org',                          cert: 'fedorapeople.org' }
+    - { name: '*.fedoraproject.org',                         cert: 'fedoraproject.org'  }
+    - { name: '*.apps.ocp.fedoraproject.org',                cert: 'console-openshift-console.apps.ocp.fedoraproject.org'  }
+    - { name: 'api.ocp.fedoraproject.org',                   cert: 'api.ocp.fedoraproject.org'  }
+    - { name: 'raw-updates.coreos.fedoraproject.org',        cert: 'raw-updates.coreos.fedoraproject.org'  }
+    - { name: 'status.raw-updates.coreos.fedoraproject.org', cert: 'status.raw-updates.coreos.fedoraproject.org'  }
+    - { name: 'status.updates.coreos.fedoraproject.org',     cert: 'status.updates.coreos.fedoraproject.org'  }
+    - { name: 'updates.coreos.fedoraproject.org',            cert: 'updates.coreos.fedoraproject.org'  }
+    - { name: 'whatcanidoforfedora.org',                     cert: 'whatcanidoforfedora.org'  }
+  tags:
+    - zabbix_api
+  when: inventory_hostname == 'proxy01.rdu3.fedoraproject.org'
+
+- name: Create SSL checks for other stg hosts
+  include_tasks: sslcheck.yml
+  loop:
+    - { name: '*.apps.ocp.stg.fedoraproject.org', cert: 'console-openshift-console.apps.ocp.stg.fedoraproject.org'  }
+    - { name: 'api.ocp.stg.fedoraproject.org',    cert: 'api.ocp.stg.fedoraproject.org'  }
+  tags:
+    - zabbix_api
+  when: inventory_hostname == 'proxy01.stg.rdu3.fedoraproject.org'