diff --git a/prober/http.go b/prober/http.go
index 3d649b5a..c0658ab9 100644
--- a/prober/http.go
+++ b/prober/http.go
@@ -225,6 +225,10 @@ func ProbeHTTP(ctx context.Context, target string, module config.Module, registr
 			Name: "probe_ssl_earliest_cert_expiry",
 			Help: "Returns earliest SSL cert expiry in unixtime",
 		})
+		probeSSLLastCertExpiry = prometheus.NewGauge(prometheus.GaugeOpts{
+			Name: "probe_ssl_last_cert_expiry",
+			Help: "Returns last SSL cert expiry date",
+		})
 
 		probeHTTPVersionGauge = prometheus.NewGauge(prometheus.GaugeOpts{
 			Name: "probe_http_version",
@@ -490,7 +494,9 @@ func ProbeHTTP(ctx context.Context, target string, module config.Module, registr
 	if resp.TLS != nil {
 		isSSLGauge.Set(float64(1))
 		registry.MustRegister(probeSSLEarliestCertExpiryGauge)
+		registry.MustRegister(probeSSLLastCertExpiry)
 		probeSSLEarliestCertExpiryGauge.Set(float64(getEarliestCertExpiry(resp.TLS).Unix()))
+		probeSSLLastCertExpiry.Set(float64(getLastCertExpiry(resp.TLS).Unix()))
 		if httpConfig.FailIfSSL {
 			level.Error(logger).Log("msg", "Final request was over SSL")
 			success = false
diff --git a/prober/tcp.go b/prober/tcp.go
index e4976256..35f1d1ee 100644
--- a/prober/tcp.go
+++ b/prober/tcp.go
@@ -94,6 +94,10 @@ func ProbeTCP(ctx context.Context, target string, module config.Module, registry
 		Name: "probe_ssl_earliest_cert_expiry",
 		Help: "Returns earliest SSL cert expiry date",
 	})
+	probeSSLLastCertExpiry := prometheus.NewGauge(prometheus.GaugeOpts{
+		Name: "probe_ssl_last_cert_expiry",
+		Help: "Returns last SSL cert expiry date",
+	})
 	probeFailedDueToRegex := prometheus.NewGauge(prometheus.GaugeOpts{
 		Name: "probe_failed_due_to_regex",
 		Help: "Indicates if probe failed due to regex",
@@ -119,7 +123,9 @@ func ProbeTCP(ctx context.Context, target string, module config.Module, registry
 	if module.TCP.TLS {
 		state := conn.(*tls.Conn).ConnectionState()
 		registry.MustRegister(probeSSLEarliestCertExpiry)
+		registry.MustRegister(probeSSLLastCertExpiry)
 		probeSSLEarliestCertExpiry.Set(float64(getEarliestCertExpiry(&state).Unix()))
+		probeSSLLastCertExpiry.Set(float64(getLastCertExpiry(&state).Unix()))
 	}
 	scanner := bufio.NewScanner(conn)
 	for i, qr := range module.TCP.QueryResponse {
@@ -187,7 +193,9 @@ func ProbeTCP(ctx context.Context, target string, module config.Module, registry
 			// Get certificate expiry.
 			state := tlsConn.ConnectionState()
 			registry.MustRegister(probeSSLEarliestCertExpiry)
+			registry.MustRegister(probeSSLLastCertExpiry)
 			probeSSLEarliestCertExpiry.Set(float64(getEarliestCertExpiry(&state).Unix()))
+			probeSSLLastCertExpiry.Set(float64(getLastCertExpiry(&state).Unix()))
 		}
 	}
 	return true
diff --git a/prober/tcp_test.go b/prober/tcp_test.go
index 9bcc714a..7bca4d19 100644
--- a/prober/tcp_test.go
+++ b/prober/tcp_test.go
@@ -175,6 +175,7 @@ func TestTCPConnectionWithTLS(t *testing.T) {
 	}
 	expectedResults := map[string]float64{
 		"probe_ssl_earliest_cert_expiry": float64(certExpiry.Unix()),
+		"probe_ssl_last_cert_expiry":     float64(certExpiry.Unix()),
 	}
 	checkRegistryResults(expectedResults, mfs, t)
 }
@@ -288,6 +289,7 @@ func TestTCPConnectionQueryResponseStartTLS(t *testing.T) {
 	}
 	expectedResults := map[string]float64{
 		"probe_ssl_earliest_cert_expiry": float64(certExpiry.Unix()),
+		"probe_ssl_last_cert_expiry":     float64(certExpiry.Unix()),
 	}
 	checkRegistryResults(expectedResults, mfs, t)
 }
diff --git a/prober/tls.go b/prober/tls.go
index ea21dd15..607c5a72 100644
--- a/prober/tls.go
+++ b/prober/tls.go
@@ -27,3 +27,6 @@ func getEarliestCertExpiry(state *tls.ConnectionState) time.Time {
 	}
 	return earliest
 }
+func getLastCertExpiry(state *tls.ConnectionState) time.Time {
+	return state.PeerCertificates[0].NotAfter
+}