diff --git a/roles/nagios_client/tasks/main.yml b/roles/nagios_client/tasks/main.yml
index 6da867d13e..29d0cd7603 100644
--- a/roles/nagios_client/tasks/main.yml
+++ b/roles/nagios_client/tasks/main.yml
@@ -49,6 +49,7 @@
   - check_ipa_replication
   - check_redis_queue.sh
   - check_timestamp_from_file
+  - check_crl_next_update
   when: not inventory_hostname.startswith('noc')
   tags:
   - nagios_client
@@ -239,6 +240,22 @@
   tags:
   - nagios_client
 
+- name: install CRL check for bastions
+  when: inventory_hostname.startswith('bastion')
+  tags:
+  - nagios_client
+  block:
+  - name: Install the nrpe template
+    template: src=check_crl_next_update.cfg.j2 dest=/etc/nrpe.d/check_crl_next_update.cfg owner=root group=root mode=0644
+    notify:
+    - restart nrpe
+
+  - name: Set facls so nrpe can check the crl (dir)
+    acl: default=no etype=user entity=nrpe permissions="rx" name=/etc/openvpn/server state=present
+
+  - name: Set facls so nrpe can check the crl (file)
+    acl: default=no etype=user entity=nrpe permissions="r" name=/etc/openvpn/server/crl.pem state=present
+
 - name: install nrpe config for the RabbitMQ checks
   template:
     src: "rabbitmq_args.ini.j2"
diff --git a/roles/nagios_client/templates/check_crl_next_update.cfg.j2 b/roles/nagios_client/templates/check_crl_next_update.cfg.j2
new file mode 100644
index 0000000000..6d5c434eff
--- /dev/null
+++ b/roles/nagios_client/templates/check_crl_next_update.cfg.j2
@@ -0,0 +1,4 @@
+# Alert if CRL expires soon.
+# Usage is: /path/to/crl.pem <warn days> <crit days>
+# So here we warn at 7 days, crit at 2
+command[check_crl_next_update]={{ libdir }}/nagios/plugins/check_crl_next_update /etc/openvpn/server/crl.pem 7 2
diff --git a/roles/nagios_server/files/nagios/services/vpn_server.cfg b/roles/nagios_server/files/nagios/services/vpn_server.cfg
new file mode 100644
index 0000000000..4edfddf944
--- /dev/null
+++ b/roles/nagios_server/files/nagios/services/vpn_server.cfg
@@ -0,0 +1,6 @@
+define service {
+  hostgroup             bastion
+  service_description   openvpn CRL expiry
+  check_command         check_by_nrpe!check_crl_next_update
+  use                   defaulttemplate
+}
diff --git a/roles/nagios_server/tasks/main.yml b/roles/nagios_server/tasks/main.yml
index 4d975da4ef..81f9f7ce30 100644
--- a/roles/nagios_server/tasks/main.yml
+++ b/roles/nagios_server/tasks/main.yml
@@ -238,6 +238,7 @@
     - templates.cfg
     - unbound.cfg
     - vpnclients.cfg
+    - vpn_server.cfg
   tags:
   - nagios_config
   - nagios_server