diff --git a/updatecli/scripts/createIssue.sh b/updatecli/scripts/createIssue.sh
new file mode 100644
index 0000000..744e04d
--- /dev/null
+++ b/updatecli/scripts/createIssue.sh
@@ -0,0 +1,33 @@
+#!/bin/bash
+# This script log to github and create an issue if not in dry mode
+set -eux -o pipefail
+
+command -v "gh" >/dev/null 2>&1 || { echo "ERROR: gh command not found. Exiting."; exit 1; }
+
+cmd=$(cat <<- EOM
+    gh issue create --title "[private.vpn.jenkins.io] $1 VPN CRL expires" \
+                    --body "follow https://github.com/jenkins-infra/docker-openvpn?tab=readme-ov-file#howto-renew-certificate-revocation-list \
+                            See https://github.com/jenkins-infra/helpdesk/issues/4266 for details." \
+                    --label crl \
+                    --label updatecli \
+                    --repo jenkins-infra/helpdesk
+EOM
+)
+
+if test "$DRY_RUN" == "false"
+then
+    export GITHUB_TOKEN="${UPDATECLI_GITHUB_TOKEN}"
+    alreadyOpened=$(gh issue list --repo jenkins-infra/helpdesk --state open --search "label:crl label:updatecli" | wc -l)
+    if test "$alreadyOpened" -eq 0
+    then
+        "${cmd}"
+    else
+        echo "issue already opened"
+    fi
+else
+    echo "should create an issue on --repo jenkins-infra/helpdesk"
+    echo "with title: [private.vpn.jenkins.io] $1 VPN CRL expires"
+    echo "${cmd}"
+fi
+
+exit 0
diff --git a/updatecli/scripts/datediff.sh b/updatecli/scripts/datediff.sh
new file mode 100644
index 0000000..5bde467
--- /dev/null
+++ b/updatecli/scripts/datediff.sh
@@ -0,0 +1,27 @@
+#!/bin/bash
+# This script calculate diff between dates for letsencrypt expiration
+set -eux -o pipefail
+
+currentexpirydate="${1}"
+DATE_BIN='date'
+
+## non GNU operating system
+if command -v gdate >/dev/null 2>&1
+then
+    DATE_BIN='gdate'
+fi
+command -v "${DATE_BIN}" >/dev/null 2>&1 || { echo "ERROR: ${DATE_BIN} command not found. Exiting."; exit 1; }
+
+currentdateepoch=$("${DATE_BIN}" --utc "+%s" 2>/dev/null)
+expirydateepoch=$("${DATE_BIN}" "+%s" -d "$currentexpirydate")
+
+datediff=$(((expirydateepoch-currentdateepoch)/(60*60*24))) # diff per days
+
+if [ "$datediff" -lt 30 ] # launch renew 30 days before expiration
+then
+    echo "time for update"
+    exit 0
+else
+    echo "not yet expired"
+    exit 1
+fi
diff --git a/updatecli/updatecli.d/crl.enddate.yaml b/updatecli/updatecli.d/crl.enddate.yaml
new file mode 100644
index 0000000..13d9611
--- /dev/null
+++ b/updatecli/updatecli.d/crl.enddate.yaml
@@ -0,0 +1,44 @@
+---
+# yamllint disable rule:line-length
+name: "CRL Renew cert for the VPN"
+
+scms:
+  default:
+    kind: github
+    spec:
+      user: "{{ .github.user }}"
+      email: "{{ .github.email }}"
+      owner: "{{ .github.owner }}"
+      repository: "{{ .github.repository }}"
+      token: "{{ requiredEnv .github.token }}"
+      username: "{{ .github.username }}"
+      branch: "{{ .github.branch }}"
+
+sources:
+  currentEndDate:
+    name: Get current `end_date` date
+    kind: shell
+    spec:
+      command: openssl crl -in ./cert/pki/crl.pem -noout -nextupdate | cut -d= -f2
+    transformers:
+      - addprefix: "'"
+      - addsuffix: "'"
+
+conditions:
+  checkIfEndDateSoonExpired:
+    kind: shell
+    sourceid: currentEndDate
+    spec:
+      # Current end_date date value passed as argument
+      command: bash ./updatecli/scripts/datediff.sh
+      environments:
+        - name: PATH
+targets:
+  createIssue:
+    kind: shell
+    sourceid: currentEndDate
+    spec:
+      environments:
+        - name: PATH
+        - name: UPDATECLI_GITHUB_TOKEN
+      command: bash ./updatecli/scripts/createIssue.sh