diff --git a/.kitchen.yml b/.kitchen.yml
index 8fccf8c..f0eef02 100644
--- a/.kitchen.yml
+++ b/.kitchen.yml
@@ -65,15 +65,6 @@ platforms:
     transport:
       name: winrm
       winrm_transport: plaintext
-  - name: windows-2012r2
-    driver_plugin: vagrant
-    driver_config:
-      box: red-gate/windows-2012r2
-    provisioner:
-      puppet_version: "6.28.0"
-    transport:
-      name: winrm
-      winrm_transport: plaintext
 
 suites:
   - name: windows_tests
diff --git a/Gemfile b/Gemfile
index e40f624..a3e7745 100644
--- a/Gemfile
+++ b/Gemfile
@@ -2,7 +2,7 @@ source 'https://rubygems.org'
 
 gem 'puppet-lint'
 
-gem 'test-kitchen'
+gem 'test-kitchen', '< 3.8.0' # pin to pre 3.8.0 which introduced a change to how it uploads files which breaks ssh_tgz upload in the kitchen-zip module
 gem 'kitchen-puppet', '>= 3.6.0'
 gem 'kitchen-vagrant'
 gem 'kitchen-zip', :git => 'https://github.com/red-gate/kitchen-zip', :branch => 'master'
diff --git a/manifests/from_pem.pp b/manifests/from_pem.pp
index ceb5ad3..d62c7fd 100644
--- a/manifests/from_pem.pp
+++ b/manifests/from_pem.pp
@@ -20,7 +20,8 @@
   String $key_content,
   String $store = 'LocalMachine\My',
   Boolean $exportable = false,
-  Boolean $remove_expired_certs = true
+  Optional[Integer] $remove_expired_certs_after = 30, # Days,
+  # Default of "30", to keep the behaviour the same, "-1" for immediate removal, "undef" to not remove.
 ) {
   require sslcertificate::openssl
 
@@ -37,7 +38,7 @@
     logoutput => true,
   }
 
-  if $remove_expired_certs {
+  if $remove_expired_certs_after {
     exec { "${title}_RemoveExpiredCerts":
       provider  => 'powershell',
       command   => template('sslcertificate/remove_expired_certs.ps1.erb'),
diff --git a/templates/remove_expired_certs.ps1.erb b/templates/remove_expired_certs.ps1.erb
index 11ff154..10c681d 100644
--- a/templates/remove_expired_certs.ps1.erb
+++ b/templates/remove_expired_certs.ps1.erb
@@ -9,7 +9,7 @@ function Get-CertName($certificate) {
 $cert_cn = Get-CertName $cert
 
 function Test-ShouldBeRemoved($certificate) {
-    ($certificate.NotAfter -lt ((get-date).AddDays(-30))) -and (Get-CertName $certificate) -eq $cert_cn
+    ($certificate.NotAfter -lt ((get-date).AddDays(-1 * <%= @remove_expired_certs_after %>))) -and (Get-CertName $certificate) -eq $cert_cn
 }
 
 Get-ChildItem Cert:\<%= @store %> | Where-Object { Test-ShouldBeRemoved $_ } | Remove-Item -Verbose