Pushing the cert using GP, to either the computer’s store or the user’s store, means that cert is always available for the client to trust the hosting site. Certificates are always present unless specifically deleted, regardless of how long ago they may have expired. Have a look in your own PC’s ‘Trusted Root Certification Authorities’ store to see what I mean. My customer system has roughly 8 certs from outside agencies that have to be used, and we simply push them out to the appropriate store to our domain PCs and don’t have any issues. As for cleaning out expired certs, a relatively simple Powershell script does that, runs 1 every 6 months.