Clean in memory certificates once they expired/renewed/revoked

Currently certificate rotation removes the old certificates/keys from the disks once they have been renewed.

The in-memory state though remembers the old certificates, and should be cleaned up. In order to do so we probably would want to have revocation support, and then the renew can revoke the old certificates, and the revocation handling can clean up the in-memory state. There might be other solutions to explore as part of the renewal itself as well, but at that point it is unclear if there are any references being hold by the underlying SSL implementation in channels that are already open, so that seems to be a more complex approach. After revocation the underlying SSL implementation also is notified that the certificate is not valid anymore.