Private/Certutil/Invoke-CertutilRevoke.ps1

function Invoke-CertutilRevoke {
    param(
        [Parameter(Mandatory)] [System.Management.Automation.Runspaces.PSSession] $Session,
        [Parameter(Mandatory)] [string] $SerialNumber,
        [Parameter(Mandatory)] [string] $Reason
    )

    $reasonMap = @{
        'Unspecified'          = 0
        'KeyCompromise'        = 1
        'CACompromise'         = 2
        'AffiliationChanged'   = 3
        'Superseded'           = 4
        'CessationOfOperation' = 5
        'CertificateHold'      = 6
    }

    $reasonCode = if ($Reason -match '^\d+$') {
        [int]$Reason
    } elseif ($reasonMap.ContainsKey($Reason)) {
        $reasonMap[$Reason]
    } else {
        throw "Invalid revocation reason '$Reason'. Valid values: $($reasonMap.Keys -join ', ') or an integer 0-6."
    }

    $sb = {
        param($SerialNumber, $ReasonCode)
        & certutil.exe -revoke $SerialNumber $ReasonCode 2>&1
    }

    $output = Invoke-Command -Session $Session -ScriptBlock $sb -ArgumentList $SerialNumber, $reasonCode -ErrorAction Stop

    if ($output -match 'CertUtil: -revoke command FAILED') {
        throw "certutil -revoke failed for SerialNumber $SerialNumber : $($output -join ' ')"
    }
    $output
}