The new web.certificate.get item key supports a lot of options to gather information from certificates, such as SNI etc.

BUT: it does not support monitoring certificates through a connection that requires STARTLS to initiate the encrypted connection, such as some email servers which listen only on port 25 (or an unencrypted submission port) and require to initiate the certificate handshake from client side with the STARTTLS command.

Nagios' monitoring_plugins plugin "check_ssl_certificate" offers such an option:

-a <add> add the text to the openssl line, used for checking the smtp ssl certificate with starttls ("-a '-starttls smtp'")

This way, you can monitor the certificate from a STARTTLS enabled SMTP-server like this, for example:

/opt/plugins/custom/check_ssl_certificate -H 1.2.3.4 -p 25 -a "-starttls smtp" -v -w 90 -c 30 Result code: WARNING check_ssl_certificates: WARNING - only 76 day(s) left for *.my-company.com[1.2.3.4].

Would be very useful to have this functionality also in Zabbix.