The removal of revoked certificates is not automatic, you have to do run a cleanup every year after you renew your CA, so here is a cleanup PowerShell script that works.
Note: The remarked lines for tweaking and testing are enabled by default
'Remove-RevokedCertificates.ps1'
# List of servers
$ListOfServers = Get-Content "D:\powershell\input\servers.csv"
$ListOfServers.Count
# Loop through each server
Foreach($Server in $ListOfServers) {
Invoke-Command -ComputerName $Server -ScriptBlock {
# Get Certificate list and assign to a variable
$Certs = Get-ChildItem "Cert:\\LocalMachine\\My" -Recurse
# Loop through each object in $Certs
Foreach($Cert in $Certs) {
#Write-Host "Certificate $($Cert.Thumbprint) expires on $($Cert.NotAfter)"
# If The objects property "NotAfter" is older than the current time, delete
If($Cert.NotAfter -lt (Get-Date)) {
Write-Host "Certificate $($Cert.Thumbprint) expired on $($Cert.NotAfter)"
$Cert #| Remove-Item #<--when ready un-remark the Red Hash to use the remove-item cmdlet to clear the Cert
}
}
}
}Note: The input script should be one you have set to run daily to create a list of Windows servers you can access, so you don’t have to ping or TNC…