I just came across
which I had seen previously but had ignored because it only works for High Sierra and I'm using Catalina, but then I realized that the server where I'm managing these certificates is running High Sierra, so I'm going to give that a try.
It explicitly indicates that it will remove keys and certs that are no longer in use, so maybe that's what I've been missing.
Will report back if it works, hopefully to help others who might need/want the same thing.