[NEW] Add certificate expiration tracking (in days/hours) #2784
Description
The problem/use-case that the feature addresses
Valkey currently doesn’t expose TLS certificate expiration time. Once a certificate expires, clients lose connectivity and outages can occur without early warning.
-
Certificate expiration is checked automatically, but there’s no proactive monitoring or notification.
-
Administrators have no way to see when client certificates will expire until connections start failing.
-
There are no built-in commands to expose certificate expiration information.
Having visibility into expiration in days/hours would allow operators to alert and renew certificates proactively.
We’ve already seen a real customer case where this visibility could have prevented an incident.
Description of the feature
Expose certificate expiration information in days and hours.
Optionally, emit warnings or metrics when approaching configurable thresholds (e.g., 7 days, 24 hours).
This enables monitoring systems to trigger alerts before expiry impacts users.
Alternatives you've considered
-
Client-side checks: Not all client libraries expose certificate metadata; inconsistent and hard to scale.
-
External scripts/tools: Adds maintenance overhead and lacks integration with Valkey’s internal metrics.
-
Manual tracking: Error-prone and not tied to the live deployment state.
Additional information
This feature improves operability and reliability by enabling early detection of expiring certificates.
It complements existing metrics for verification failures or expired cert errors, shifting monitoring from reactive to proactive.
If this proposal is approved, I’m happy to proceed with the implementation and contribute the initial version.