Remove Local Windows Certificate Store Expired Certificates

With this script you will be able to run, detect and also remove all expired certificates on the affected local machine.

All Certificate Stores (User, Service and Computer) are checked and based on the date (when run) to detect any expired certificates up to the date of run.

Thus the script will parse all local windows certificate stores and remove any certificate that is detected as expired.


The script requirements:

  • Requires at least PowerShell 3.0 or later
  • Tested on Windows 7, 8 (All versions)
  • Tested on Server 2008, 2012 (All versions)
  • Please run script locally on affected machine with Administrator privilege

DO NOT run this script on a server running a windows PKI Certificate Authority.

This is primarily a cleanup script for end-point systems to detect and remove old revoked and/or expired certificates in a scripted automated fashion.

#Get todays date

$today = Get-Date
$ConfirmPreference = “None”

Parse all stores and removed expired

$store = New-Object System.Security.Cryptography.x509Certificates.x509Store(“My”,”LocalMachine”)
$certs = $store.Certificates | Where-Object {$_.NotAfter -lt $today}
ForEach ($cert in $certs)


Be the first to comment

Leave a Reply

Your email address will not be published.