In Keychain, I have two self-signed root certificates that “are not to be trusted”:
1) com.apple.kerberos.kdc
2) com.apple.systemdefault

Should these certificates be trashed or are they merely false positives? Alas, I no knot their provenance or whence they came.

Harv
27" i7 iMac (10.13.6), iPhone Xs Max (12.1)

Those who can make you believe absurdities can make you commit atrocities. ~Voltaire