![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(243.2, 11%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGE%3C/text%3E%3C/svg%3E)
Active Directory
A set of directory-based technologies included in Windows Server.
5,898 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 80%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETB%3C/text%3E%3C/svg%3E)
Hi @GCE
You can use a powershell script for cleaup expired and untrsuted certificate , the script below works and you can adjust it to generate a log file to trace cleaup action.
This script can be used , if you have the list of member servers in csv file and run it through scheduled task on a admin server able to communicate with target member machines through WinRM:
$ServerList = Get-Content "c:\temp\serverlist.CSV"
Foreach($Server in $ServerList) {
Invoke-Command -ComputerName $Server -ScriptBlock {
# Get Certificate list
$Certs = Get-ChildItem "Cert:\LocalMachine\My" -Recurse
# Get the list of root certificate
$root_cert_list = Get-ChildItem -Path "Cert:\LocalMachine\Root" | select -ExpandProperty Subject
# Loop through each object in $Certs
Foreach($Cert in $Certs) {
# The property "NotAfter" indicate the expired time , if it's older than the current time, the certificate will be deleted
If($Cert.NotAfter -lt (Get-Date))
{
$Cert | Remove-Item
}
# Delete untrust certificate : if the certificate issuer is not in the list of root certificate it will be deleted
elseif($root_cert_list -notcontains $cert.Issuer)
{
$Cert | Remove-Item
}
}
}
}
Please don't forget to mark helpful answer as accepted