diff --git a/build.xml b/build.xml
index f54bf233..217e1f61 100644
--- a/build.xml
+++ b/build.xml
@@ -217,6 +217,7 @@
     <property name="build.dir" value="${basedir}/build"/>
     <property name="mdx.dir" value="${basedir}/mdx"/>
     <property name="rules.dir" value="${mdx.dir}/_rules"/>
+    <property name="utilities.dir" value="${basedir}/utilities"/>
 
     <!--
         Location of externally supplied tool bundles.
@@ -2165,9 +2166,9 @@
     -->
     <target name="check.embedded" depends="extract.embedded">
         <echo>Checking embedded certificates</echo>
-        <exec executable="perl" dir="${build.dir}"
+        <exec executable="perl" dir="${utilities.dir}"
             input="${temp.dir}/embedded.pem">
-            <arg value="${build.dir}/check_embedded.pl"/>
+            <arg value="${utilities.dir}/check_embedded.pl"/>
             <arg value="-q"/>
         </exec>
         <delete file="${temp.dir}/embedded.pem" quiet="true" verbose="false"/>
diff --git a/build/check_embedded.pl b/utilities/check_embedded.pl
similarity index 100%
rename from build/check_embedded.pl
rename to utilities/check_embedded.pl
diff --git a/utilities/expiry_whitelist.txt b/utilities/expiry_whitelist.txt
new file mode 100644
index 00000000..9bedfb6d
--- /dev/null
+++ b/utilities/expiry_whitelist.txt
@@ -0,0 +1,73 @@
+#
+# expiry_whitelist.txt
+#
+# This file lists certificates whose expiry should be ignored for some
+# reason.
+#
+# Lines can be continued by ending them with a '\'.
+# Blank lines, and lines starting with a '#', are ignored.
+#
+# The format of lines describing a whitelisted certificate is a series
+# of fields separated by spaces or tabs (standard Perl fields).
+#
+# Field 1:  SHA-1-fingerprint for the certificate
+# Field 2:  reason code
+#
+# Subsequent fields are ignored, and can be used as a comment.
+#
+# Combining the above:
+#
+# A9:16:56:BB:5C:0C:27:BE:B4:D0:3B:CF:A8:DA:1D:8E:37:54:00:4A reason \
+#    this is a comment describing the certificate.  Entity uk123456. Call 9999.
+#
+# Common reason codes:
+#    * none
+#
+B1:1A:B2:19:0E:7E:2B:97:C4:6A:AA:D8:97:F6:09:BE:E3:81:EB:D6 \
+    Certificate expired for a "e-academy Incorporated: OnTheHub" Shibboleth SP for e-academy Incorporated. Entity uk001473. Call 6592.
+
+43:39:DB:D5:08:1C:87:7A:F5:72:6E:60:80:7F:CA:AC:B5:A2:94:1B \
+    Certificate expired in a Palgrave Macmillan staging SP. Entity uk001446. Call 7663.
+
+4D:4B:09:FF:2E:E3:36:77:CD:65:59:94:DE:28:CF:8B:51:55:90:E4 \
+    Certificate expired in an 'RM Easymail Plus' Shibboleth SP owned by RM Education plc. Entity uk001483. Call 8254.
+    
+F9:04:F9:4A:4B:D4:7D:30:42:88:64:1B:C8:51:EF:CC:43:D9:30:10 \
+    Certificate expired - no reply from Kindit Ltd (Picturemaxx) - call 10305.
+    
+4D:DE:9C:CB:68:F7:EB:FF:A2:E9:CC:A0:1A:9F:9D:9D:86:DA:C2:97 \
+    Certificate expired in a Shibboleth IdP for Hopwood Hall College. Entity uk001648. Call 10211.
+    
+90:A3:BB:7B:C3:8E:EB:57:8D:DA:4E:42:01:64:3B:11:D9:B4:F5:75 \
+    Certificate expires 8 January 2015 - merger - Stourbridge College.  Entity uk001743. Call 11565.
+
+10:6D:8F:2D:14:31:B6:56:18:D8:CB:E9:BD:AB:96:DC:9D:ED:30:35 \
+    Certificate expired 8 March 2015 - Shibboleth IdP for Southport College. Entity uk000308. Call 11905.
+    
+64:44:D0:DF:86:52:F3:CD:3D:D6:75:8F:8E:84:82:92:7F:4E:93:C3 \
+    Certificate expired 10 April 2015 - Dawson Shibboleth SP for Semantico Limited.  Entity uk002112. Call 12202.
+
+AD:08:96:85:E3:C1:50:AD:31:4C:6D:B2:74:78:40:21:20:5A:7D:D3 \
+    Certificate expired 10 Jan 2016 - Cardiff pre-prod IdP. Entity uk001170. Call 14603.
+    
+92:11:9D:AC:9D:B2:6E:97:1D:10:CC:FD:30:48:EB:04:0F:91:7E:B3 \
+    Certificate expired 25 Jan 2016 - Janet community site staging SP. Entity uk002056. Call 14681.
+
+AC:61:A4:E0:0B:93:13:AD:30:B4:25:3E:34:09:BB:89:4D:97:9A:C4 \
+    Old certificate expired 29 Jan 2016 - Lancaster and Morecambe College IdP. Entity uk001215. Call 14774.
+    
+F7:E4:37:53:85:79:7D:41:B2:8A:ED:D5:6B:D4:21:57:FE:59:F3:05 \
+    Old certificate expired 16 Nov 2015 - Cadbury Sixth Form College IdP. Entity uk001150. Call 14032.
+    
+3D:68:7B:71:14:31:20:6F:19:49:C4:34:CE:AE:B0:00:68:60:FF:46 \
+    Expired certificate in an unused staging IdP - University of Essex. Entity uk001359. Call 15615.
+    
+94:E5:25:42:BC:70:9C:19:75:07:1E:9A:58:EE:C4:A7:D6:BA:97:2B \ 
+    Expired certificate (23/04/16) in an unused Shibboleth IdP for Totton College. Entity uk000231. Call 15316.
+    
+F3:63:1C:35:CC:BC:FD:E7:A4:B7:3B:C8:54:FF:AF:0F:0F:A2:66:04 \
+    Expired certificate (26/07/16) for a Shibboleth test IdP for Canterbury Christ Church University. Entity uk002469. Call 15960.
+    
+13:C7:EB:D0:42:30:4A:41:40:1C:6F:F8:08:AA:EB:89:B2:31:05:2B \
+    Expired certificate (09/05/2016) for a Shibboleth IdP for King George V College. Entity uk001322. Call 15465.
+# END
