diff --git a/checker/definition.go b/checker/definition.go
index 31c996d..c2fb6f5 100644
--- a/checker/definition.go
+++ b/checker/definition.go
@@ -11,7 +11,7 @@ import (
 var Version = "built-in"
 
 // Definition returns the CheckerDefinition for the TLS checker.
-func (p *tlsProvider) Definition() *sdk.CheckerDefinition {
+func Definition() *sdk.CheckerDefinition {
 	return &sdk.CheckerDefinition{
 		ID:      "tls",
 		Name:    "TLS",
diff --git a/checker/prober.go b/checker/prober.go
index fcbe88d..b528814 100644
--- a/checker/prober.go
+++ b/checker/prober.go
@@ -33,6 +33,7 @@ func buildChain(certs []*x509.Certificate) []CertInfo {
 			DERBase64:     base64.StdEncoding.EncodeToString(c.Raw),
 			Subject:       c.Subject.String(),
 			Issuer:        c.Issuer.String(),
+			NotAfter:      c.NotAfter,
 			CertSHA256:    hex.EncodeToString(certSum256[:]),
 			CertSHA512:    hex.EncodeToString(certSum512[:]),
 			SPKISHA256:    hex.EncodeToString(spkiSum256[:]),
diff --git a/checker/types.go b/checker/types.go
index 81e59bd..58bd547 100644
--- a/checker/types.go
+++ b/checker/types.go
@@ -84,6 +84,10 @@ type CertInfo struct {
 	Subject string `json:"subject,omitempty"`
 	Issuer  string `json:"issuer,omitempty"`
 
+	// NotAfter is the certificate's expiry. Carried so editors can show
+	// "expires on …" without re-parsing the DER.
+	NotAfter time.Time `json:"not_after,omitempty"`
+
 	// Selector 0 = full certificate.
 	CertSHA256 string `json:"cert_sha256,omitempty"`
 	CertSHA512 string `json:"cert_sha512,omitempty"`