diff --git a/roles/ocserv/files/notify-expiring-certs b/roles/ocserv/files/notify-expiring-certs
new file mode 100644
index 0000000..2b8f4f3
--- /dev/null
+++ b/roles/ocserv/files/notify-expiring-certs
@@ -0,0 +1,46 @@
+#!/bin/sh
+
+set -e
+
+for cert in /var/lib/ocserv/certs/*.crt ; do
+        # get email
+        email="$(openssl x509 -noout -email -in "${cert}")"
+        if [ -z "${email}" ] ; then
+                # if emailAddress is not specified in certificate, assume CN is the email
+                email="$(openssl x509 -noout -subject -in "${cert}" | sed 's/^.* CN = \([^,]*\).*$/\1/')"
+        fi
+        if [ -z "${email}" ] ; then
+                # bail if we still don’t have an email to send to
+                continue
+        fi
+
+        # get number of days the certificate will remain valid for
+        end="$(openssl x509 -noout -dateopt iso_8601 -enddate -in "${cert}" | cut -d '=' -f 2)"
+        validity="$(( ($(date -d "${end}" +%s) - $(date +%s)) / 86400 ))"
+
+        # send notice 14 and 7 days before expiry
+        if [ "${validity}" -eq 14 ] || [ "${validity}" -eq 7 ] ; then
+                /usr/sbin/sendmail -t <<EOF
+To: ${email}
+Bcc: root
+Date: $(date -R)
+Subject: Potek certifikata za FRI VPN
+
+Spoštovani,
+
+čez ${validity} dni bo potekel FRI VPN certifikat za ${email}. Če dostop še potrebujete, kontaktirajte RC FRI za podaljšanje.
+
+Lep pozdrav,
+RC FRI
+
+///
+
+Hello,
+
+in ${validity} days the FRI VPN certificate for ${email} will expire. If you still need access, contact RC FRI for renewal.
+
+Best regards,
+RC FRI
+EOF
+        fi
+done
diff --git a/roles/ocserv/meta/main.yml b/roles/ocserv/meta/main.yml
index 69891c7..0105428 100644
--- a/roles/ocserv/meta/main.yml
+++ b/roles/ocserv/meta/main.yml
@@ -1,2 +1,3 @@
 dependencies:
-  - role: nginx
+  - role: nginx # for certificate renewal
+  - role: opensmtpd # for certificate expiry notifications
diff --git a/roles/ocserv/tasks/main.yml b/roles/ocserv/tasks/main.yml
index 17ed134..84bf8a8 100644
--- a/roles/ocserv/tasks/main.yml
+++ b/roles/ocserv/tasks/main.yml
@@ -1,6 +1,7 @@
 - name: Install packages
   package:
     name:
+      - coreutils # for date
       - netmask # for ocserv-script
       - ocserv
     install_recommends: false # don’t install dnsmasq for whatever reason
@@ -34,13 +35,14 @@
     state: directory
     owner: ocserv
     group: ocserv
+    mode: "0700"
 
 # this script allows routing from the client to their networks on connection
 - name: Install ocserv firewall script
   copy:
     dest: /usr/local/bin/
     src: ocserv-script
-    mode: 755
+    mode: "0755"
 
 - name: Configure ocserv
   template:
@@ -64,7 +66,7 @@
   copy:
     dest: /etc/letsencrypt/renewal-hooks/deploy/
     src: reload-ocserv.sh
-    mode: 0755
+    mode: "0755"
 
 - name: Create ocserv service override directory
   file:
@@ -72,7 +74,7 @@
     state: directory
     owner: root
     group: root
-    mode: 0755
+    mode: "0755"
 
 - name: Set ocserv to start after network is online
   copy:
@@ -89,3 +91,17 @@
     value: 1
     sysctl_file: /etc/sysctl.d/99-local.conf
     sysctl_set: true
+
+- name: Install user certificate expiry notification script
+  copy:
+    dest: /usr/local/bin/
+    src: notify-expiring-certs
+    mode: "0755"
+
+- name: Schedule user certificate expiry notification script
+  cron:
+    name: "notify users with expiring certificates"
+    job: "/usr/local/bin/notify-expiring-certs"
+    user: ocserv
+    hour: "6"
+    minute: "26"