diff --git a/plugins/ssl/ssl-certificate-expiry b/plugins/ssl/ssl-certificate-expiry
index 029e7869..71951ae1 100755
--- a/plugins/ssl/ssl-certificate-expiry
+++ b/plugins/ssl/ssl-certificate-expiry
@@ -26,6 +26,7 @@ To set warning and critical levels do like this:
     env.proxy PROXYHOST:PORT          # optional, enables openssl operation over proxy
     env.checkname yes                 # optional, checks if used servername is covered by certificate
     env.skip_cert_hashes 2e5ac55d     # optional, skip check of certs with those hashes (2e5ac55d is DST Root CA X3, cross-signing Let's Encrypt certs, but expiring on 2021-09-30)
+    env.timeout 60s                   # optional, sets a timeout for openssl operations. This is useful when the remote server might not be available.
 
 Alternatively, if you want to monitor hosts separately, you can create multiple symlinks named as follows.
 
@@ -137,6 +138,12 @@ print_expire_days() {
     [ -n "${proxy:-}" ] && s_client_args="$s_client_args -proxy $proxy"
     [ -n "${checkname:-}" ] && [ "$checkname" = "yes" ] && s_client_args="$s_client_args -verify_hostname $host"
 
+    # If timeout is configured, setup the command to call.
+    # Use `--preserve-status` to still get the returncode of openssl, not the
+    # one of timeout.
+    local timeout_call=''
+    [ -n "${timeout:-}" ] && timeout_call="timeout --preserve-status ${timeout}"
+
     # We extract and check the server certificate,
     # but the end date also depends on intermediate certs. Therefore
     # we want to check intermediate certs as well.
@@ -155,7 +162,7 @@ print_expire_days() {
     # shellcheck disable=SC2086
     openssl_call="s_client -servername $host -connect ${host}:${port} -showcerts $s_client_args"
     # shellcheck disable=SC2086
-    openssl_response=$(echo "" | openssl ${openssl_call} 2>/dev/null)
+    openssl_response=$(echo "" | ${timeout_call} openssl ${openssl_call} 2>/dev/null)
     if echo "$openssl_response" | grep -qi "Hostname mismatch"; then
 	echo "<>"
     else