For the expired certificates, it isn't not allowed to delete them, by design. They can only viewed, and they can also removed from the CCL of interest. The most used of the CCL is the "Browser Trusted" List.
For detailed steps on how you may remove the expired CA certificate from the CCL, please refer to the steps in the Tech. Doc. with the URL below.
It's important to note that the certificate not added to a CCL isn't actively utilized by the appliance, and thus, has no negative impact.
There isn't yet an updated certificate for the expired image validation certificate. This is still being used, and there are no issues with this.
Note: We recommend to have the appliance configured, from CLI, to always auto-update the trust package, which houses the CA certificates. For the required CLI command, please refer to the anippet below.