diff --git a/bin/ca-list-certs b/bin/ca-list-certs
new file mode 100755
index 0000000..ef309d9
--- /dev/null
+++ b/bin/ca-list-certs
@@ -0,0 +1,50 @@
+#!/bin/bash
+
+source $(dirname $(dirname $0))/../lib/ca-functions
+
+usage() {
+    cat <<__EOT__
+Usage: $PROGNAME [options] <common name>|<path to certificate>
+
+Options:
+  -h, --help            Print this helpful message!
+  -f, --config FILE     Use config file instead of $CONFFILE
+  -t, --type TYPE       Certificate type: "server" (default), "client" or "user"
+  -e, --expiring        Show certificates that are expiring within 90 days
+
+__EOT__
+}
+
+short="hf:e"
+long="help,config:,expiring"
+opts=$( getopt -o "$short" -l "$long" -n "$PROGNAME" -- "$@" )
+if [ 0 -ne $? ]; then echo; usage; exit 1; fi
+eval set -- "$opts";
+
+while :; do
+    case "$1" in
+        -h|--help) usage; exit 0;;
+        -f|--config) shift; CONFFILE="$1"; CONFFILECLI=1; shift;;
+        -e|--expiring) shift; USER_EXPIRE="1"; shift;;
+        --) shift; break;;
+        *) echo "Unknown value '$1'"; exit 1;;
+    esac
+done
+
+# load up the configuration file
+ca_load_conf
+
+for group in ca server client user; do
+    case $group in
+        ca)	echo "Certificate Authorities:";;
+        server)	echo; echo "Server Certificates:";;
+        client) echo; echo "Client Certificates:";;
+        user)	echo; echo "User Certificates:";;
+    esac
+      
+    while read certFile; do
+        #echo "File: $certFile"
+        cert_info "$certFile"
+    done < <(find "$CA_HOME/crt/" -type f -name "*.${group}.crt")
+done
+
diff --git a/lib/ca-functions b/lib/ca-functions
index d0c9603..d29890e 100644
--- a/lib/ca-functions
+++ b/lib/ca-functions
@@ -268,3 +268,24 @@ ca_find_cnf() {
         fi
     fi
 }
+
+cert_info() {
+    local certFile="$1"
+    local certCN certIssuer certValid certExpire certCA certFilename
+
+    if [ -r "$certFile" ]; then
+	certFilename=$(basename "$certFile")
+        certCN="$(openssl x509 -in "$certFile" -noout -subject | sed -r 's|.*CN=(.*)|\1|; s|/[^/]*=.*$||')"
+        certIssuer="$(openssl x509 -in "$certFile" -noout -issuer | sed -r 's|.*CN=(.*)|\1|; s|/[^/]*=.*$||')"
+        certValid="$(openssl x509 -in "$certFile" -noout -startdate | sed -r 's|.*notBefore=(.*)|\1|;')"
+        certExpire="$(openssl x509 -in "$certFile" -noout -enddate | sed -r 's|.*notAfter=(.*)$|\1|;')"
+	if [ "$certCN" = "$certIssuer" ]; then
+            echo "$certFilename: $certCN expires on $certExpire"
+        else
+            echo "$certFilename: $certCN issued by $certIssuer expires on $certExpire"
+        fi
+    else
+        echo "ERROR: $certFile does not exist or cannot be read"
+    fi
+}
+