How can I find out all of the notrust certificates in ACF2? 

Release : 16.0

Component : CA PAM Client for Linux for zSeries

Use the SAFCRRPT utility. This utility will let you specify TRUST or NOTRUST, which will display only the certificates that have either TRUST or NOTRUST status.

An example, minus the jobcard would be:

//SAFRPTCR EXEC PGM=SAFCRRPT,REGION=64M 
//SYSUDUMP DD SYSOUT=*                  
//SYSPRINT DD SYSOUT=*                  
//SYSIN DD *                            
RECORDID(-) SUMMARY NOTRUST    

https://techdocs.broadcom.com/us/en/ca-mainframe-software/security/ca-acf2-for-z-os/16-0/reporting/other-ca-acf2-utilities.html