Hi,
There are several approaches to this. The url_response probe can check certificate expiration, but it only works with http servers. When I add a https site to monitoring, I usually enable this.
I also monitor local computer store certificates on Windows servers. For this purpose I have two approaches: a custom probe that used .net to query the certificates and in some cases I use the nexec probe to run a powershell script that queries certificates through the certificate provider. My custom probe is also able to query remote certificates other than http, so I'm using it for that as well. Unfortunately the custom probe needs.. some.. work so I'm not using it extensively these days.
In past we've also used all sorts of timed scripts to write a log, which then is parsed by the logmon probe.
-jon