I have 2 vCenters in ELM.
Both vCenters started out with version 6.7 and have been upgraded in the past to 7.0, now runing 7.0.3.01500
Both vCenters have a machine SSL certificates from an internal Root / Issuing CA PKI chain.
Both vCenters are NOT part of the CA chain, they still have their own VMware CA !

A previous operator appearantly has been playing arround with certificates, so the Trusted Root store is quit littered with old en new VMware CA certificates and some machine SSL certificates.
In total there are 13 records in the store:
- A Root and Issuing CA from the interal PKI
- 2 VMware CA's from the local VC (1 old, 1 current)
- 1 (old) VMware CA from the remote VC
- 5 machine SSL's from the local VC
- 2 machine SSL's from the remote VC
- 1 SSL certificate from HPE OV4VC.

I compared the content of these store with a similar setup (2 VC's in ELM, machine SSL from internal PKI) with the only difference that this has been setup with 7.0.3 from the start.
In total here are 5 records in the store: 
- A Root and Issuing CA from the interal PKI
- 1 VMware CA from the local VC and 1 VMware CA from the remote VC
- 1 SSL certificate from HPE OV4VC.

The newer setup clearly has the proper certificates in the Trusted Root store.

Questions:
1. Can I remove the VC SSL machine certificates from the Trusted Root store ? They do not seem to be stored there at all when looking at a fresh 7.0 setup ...
2. Somebody renewed the VMware CA's (for no reason, the previous one would expire in 2030), but I noticed the STS Signing Certificate is still issued from to the previous VMware CA. Do I need run the "Refresh with vCenter certificate" action to have it chained to current VMware CA ?
3. Can I than remove the old VMware CA certificates from the Trusted Root store
4. Appearantly the VMware CA from a linked VC only gets added to the Trusted Root store during the setup with ELM. When that VMware CA gets renewed it is not pushed to its linked partener. Do I have to manually import that newer VMware CA from the remote VC ?