diff --git a/setup/ssl.sh b/setup/ssl.sh
index 19a0c048..0aa9b136 100755
--- a/setup/ssl.sh
+++ b/setup/ssl.sh
@@ -96,3 +96,12 @@ fi
 if [ ! -f "$STORAGE_ROOT/ssl/dh2048.pem" ]; then
 	openssl dhparam -out "$STORAGE_ROOT/ssl/dh2048.pem" 2048
 fi
+
+# Cleanup expired SSL certificates from $STORAGE_ROOT/ssl daily
+cat > /etc/cron.daily/mailinabox-ssl-cleanup << EOF;
+#!/bin/bash
+# Mail-in-a-Box
+# Cleanup expired SSL certificates
+$(pwd)/tools/ssl_cleanup
+EOF
+chmod +x /etc/cron.daily/mailinabox-ssl-cleanup
diff --git a/tools/ssl_cleanup b/tools/ssl_cleanup
new file mode 100755
index 00000000..5adfa1be
--- /dev/null
+++ b/tools/ssl_cleanup
@@ -0,0 +1,17 @@
+#!/bin/bash
+# Cleanup SSL certificates which expired more than 7 days ago from $STORAGE_ROOT/ssl and move them to $STORAGE_ROOT/ssl.expired
+
+source /etc/mailinabox.conf
+shopt -s extglob
+
+retain_after="$(date --date="7 days ago" +%Y%m%d)"
+
+mkdir -p $STORAGE_ROOT/ssl.expired
+for file in $STORAGE_ROOT/ssl/*-+([0-9])-+([0-9a-f]).pem; do
+  pem="$(basename "$file")"
+  not_valid_after="$(cut -d- -f1 <<< "${pem: -21}")"
+
+  if [ "$not_valid_after" -lt "$retain_after" ]; then
+    mv "$file" "$STORAGE_ROOT/ssl.expired/${pem}"
+  fi
+done