If an IAM certificate is expired but still in use touchdown will try to delete it but it will fail #117
Description
delete_server_certificate does not support dry run so we can't detect this ahead of time.
If the graph querying API was rich enough we could find all elb's and cloudfront distributions in the current configuration and ensure they didn't use the cert (we depend on then, so we know their 'describe' service will have a plan.object['ServerCertificateId'] or similar already populated by the time we run).
The alternative is to query for elb and cloudfront distributions that use the cert. For cloudfront that is not so bad, but for elb we'd technically have to do it in every region!!!
Alternatively we can try to delete stale things, but make it a soft-fail as we know its not a crucial part of the deployment.