diff --git a/src/NATS.Server/Monitoring/VarzHandler.cs b/src/NATS.Server/Monitoring/VarzHandler.cs
index 433aa84..3bdbe6d 100644
--- a/src/NATS.Server/Monitoring/VarzHandler.cs
+++ b/src/NATS.Server/Monitoring/VarzHandler.cs
@@ -1,5 +1,6 @@
 using System.Diagnostics;
 using System.Runtime.InteropServices;
+using System.Security.Cryptography.X509Certificates;
 using NATS.Server.Protocol;
 
 namespace NATS.Server.Monitoring;
@@ -47,6 +48,22 @@ public sealed class VarzHandler : IDisposable
                 _lastCpuUsage = currentCpu;
             }
 
+            // Load the TLS certificate to report its expiry date in /varz.
+            // Corresponds to Go server/monitor.go handleVarz populating TLSCertExpiry.
+            DateTime? tlsCertExpiry = null;
+            if (_options.HasTls && !string.IsNullOrEmpty(_options.TlsCert))
+            {
+                try
+                {
+                    using var cert = X509CertificateLoader.LoadCertificateFromFile(_options.TlsCert);
+                    tlsCertExpiry = cert.NotAfter;
+                }
+                catch
+                {
+                    // cert load failure — leave field as default
+                }
+            }
+
             return new Varz
             {
                 Id = _server.ServerId,
@@ -63,6 +80,8 @@ public sealed class VarzHandler : IDisposable
                 TlsRequired = _options.HasTls && !_options.AllowNonTls,
                 TlsVerify = _options.HasTls && _options.TlsVerify,
                 TlsTimeout = _options.HasTls ? _options.TlsTimeout.TotalSeconds : 0,
+                TlsCertNotAfter = tlsCertExpiry ?? default,
+                TlsOcspPeerVerify = _options.OcspPeerVerify,
                 MaxConnections = _options.MaxConnections,
                 MaxPayload = _options.MaxPayload,
                 MaxControlLine = _options.MaxControlLine,