Hi @GCE
You can use a powershell script for cleaup expired and untrsuted certificate , the script below works and you can adjust it to generate a log file to trace cleaup action.
This script can be used , if you have the list of member servers in csv file and run it through scheduled task on a admin server able to communicate with target member machines through WinRM:
$ServerList = Get-Content "c:\temp\serverlist.CSV"
Foreach($Server in $ServerList) {
Invoke-Command -ComputerName $Server -ScriptBlock {
# Get Certificate list
$Certs = Get-ChildItem "Cert:\LocalMachine\My" -Recurse
# Get the list of root certificate
$root_cert_list = Get-ChildItem -Path "Cert:\LocalMachine\Root" | select -ExpandProperty Subject
# Loop through each object in $Certs
Foreach($Cert in $Certs) {
# The property "NotAfter" indicate the expired time , if it's older than the current time, the certificate will be deleted
If($Cert.NotAfter -lt (Get-Date))
{
$Cert | Remove-Item
}
# Delete untrust certificate : if the certificate issuer is not in the list of root certificate it will be deleted
elseif($root_cert_list -notcontains $cert.Issuer)
{
$Cert | Remove-Item
}
}
}
}
Please don't forget to mark helpful answer as accepted