I've put the cert name as the wildcard (*.example.com), but the certificate itself points to an actual web server (https://sub.example.com) that can be checked for expiry. Issue there of course, is if it's updated, it's going to show the new date, but there could easily be one of 20 other services that got missed…