diff --git a/src/util-lua-tls.c b/src/util-lua-tls.c
index 5d0a7491eb..648eb42312 100644
--- a/src/util-lua-tls.c
+++ b/src/util-lua-tls.c
@@ -57,6 +57,88 @@
 #include "util-lua.h"
 #include "util-lua-common.h"
 
+static int GetCertNotBefore(lua_State *luastate, const Flow *f, int direction)
+{
+    void *state = FlowGetAppState(f);
+    if (state == NULL)
+        return LuaCallbackError(luastate, "error: no app layer state");
+
+    SSLState *ssl_state = (SSLState *)state;
+    SSLStateConnp *connp = NULL;
+
+    if (direction) {
+        connp = &ssl_state->client_connp;
+    } else {
+        connp = &ssl_state->server_connp;
+    }
+
+    if (connp->cert0_not_before == 0)
+        return LuaCallbackError(luastate, "error: no certificate NotBefore");
+
+    int r = LuaPushInteger(luastate, connp->cert0_not_before);
+
+    return r;
+}
+
+static int TlsGetCertNotBefore(lua_State *luastate)
+{
+    int r;
+
+    if (!(LuaStateNeedProto(luastate, ALPROTO_TLS)))
+        return LuaCallbackError(luastate, "error: protocol not tls");
+
+    int direction = LuaStateGetDirection(luastate);
+
+    Flow *f = LuaStateGetFlow(luastate);
+    if (f == NULL)
+        return LuaCallbackError(luastate, "internal error: no flow");
+
+    r = GetCertNotBefore(luastate, f, direction);
+
+    return r;
+}
+
+static int GetCertNotAfter(lua_State *luastate, const Flow *f, int direction)
+{
+    void *state = FlowGetAppState(f);
+    if (state == NULL)
+        return LuaCallbackError(luastate, "error: no app layer state");
+
+    SSLState *ssl_state = (SSLState *)state;
+    SSLStateConnp *connp = NULL;
+
+    if (direction) {
+        connp = &ssl_state->client_connp;
+    } else {
+        connp = &ssl_state->server_connp;
+    }
+
+    if (connp->cert0_not_after == 0)
+        return LuaCallbackError(luastate, "error: no certificate NotAfter");
+
+    int r = LuaPushInteger(luastate, connp->cert0_not_after);
+
+    return r;
+}
+
+static int TlsGetCertNotAfter(lua_State *luastate)
+{
+    int r;
+
+    if (!(LuaStateNeedProto(luastate, ALPROTO_TLS)))
+        return LuaCallbackError(luastate, "error: protocol not tls");
+
+    int direction = LuaStateGetDirection(luastate);
+
+    Flow *f = LuaStateGetFlow(luastate);
+    if (f == NULL)
+        return LuaCallbackError(luastate, "internal error: no flow");
+
+    r = GetCertNotAfter(luastate, f, direction);
+
+    return r;
+}
+
 static int GetCertInfo(lua_State *luastate, const Flow *f, int direction)
 {
     void *state = FlowGetAppState(f);
@@ -218,6 +300,12 @@ static int TlsGetCertChain(lua_State *luastate)
 int LuaRegisterTlsFunctions(lua_State *luastate)
 {
     /* registration of the callbacks */
+    lua_pushcfunction(luastate, TlsGetCertNotBefore);
+    lua_setglobal(luastate, "TlsGetCertNotBefore");
+
+    lua_pushcfunction(luastate, TlsGetCertNotAfter);
+    lua_setglobal(luastate, "TlsGetCertNotAfter");
+
     lua_pushcfunction(luastate, TlsGetCertInfo);
     lua_setglobal(luastate, "TlsGetCertInfo");