There are many certificates and certificate authorities that have expired over the years on an ACF2 system which are now starting to create excessive messages in the system logs whenever the following keyring refresh commands are issued:

F ACF2,REBUILD(USR),CLASS(P)

F ACF2,OVMS

What is the best way to perform the cleanup without causing any risk? The REMOVE CERTDATA command can be used to remove them from the keyring but removing them all at once even though they have expired is still nerve wracking.

Are there any suggestions to perform a certificate cleanup in the safest way possible?

As it is not possible for an expired certificate to be in use, it is safe to delete a certificate on an ACF2 system running current maintenance without following the below advice (see Additional Information section below for maintenance considerations). It is recommended to use an ACFBATCH job to perform bulk ACF2 commands. Upon deletion of a CERTDATA record, ACF2 provides automation to remove the certificate from any keyrings they were attached to:

//ACFBATCH EXEC PGM=ACFBATCH 
//SYSPRINT DD SYSOUT=*       
//SYSIN    DD *              
* DELETE A CERTIFICATE *
SET P(USER) DIV(CERTDATA)
DEL user.suffix

However, in an extremely risk adverse environment, or on a system that is behind on ACF2 maintenance, removal from the keyring first, followed by eventual deletion is the most risk averse way to go about cleaning up expired certificates:

//ACFBATCH EXEC PGM=ACFBATCH 
//SYSPRINT DD SYSOUT=*       
//SYSIN    DD *              
* REMOVE CERTIFICATES FROM A KEYRING *
REMOVE CERTDATA(user.suffix) KEYRING(keyring.suffix)
F ACF2,REBUILD(USR),CLASS(P),DIV(KEYRING)
F ACF2,OMVS(KEYRING)

Taking it one step further would include changing the certificate to specify NOTRUST and leaving it that way for some time before removal from the keyring:

//ACFBATCH EXEC PGM=ACFBATCH 
//SYSPRINT DD SYSOUT=*       
//SYSIN    DD *              
* REMOVE TRUST FROM CERTIFICATE *
SET P(USER) DIV(CERTDATA)
CHA user.suffix NOTRUST

Even though it's more tedious, removal from the keyring before deletion provides a way of "backing out" changes since the certificate still exists and can be re-connected to the keyring. This is the suggested method if going through a rather large cleanup in a risk averse environment as deletion of a certificate is permanent. 

Be aware that the removal from the keyring will not prevent the ACF79464 messages seen in the system logs, only deletion of the certificates will do that. 

If running ACF2 R16, verify PTF LU04678 is applied before cleaning up certificates. This PTF is needed to assure that orphan pointers aren't left behind on the keyring when ACF2 performs the automated removal of a certificate from a keyring during deletion. These orphan pointers can create an issue with the reading of a keyring if they occur. Orphan pointers are identified by the following error message when listing the contents of a keyring:

ACF0A005 RECORD(S) NOT FOUND
Error encountered reading CERTDATA record: certdata.suffix