Quote Originally Posted by arvidjaar View Post
Normally this happens automatically - kernel RPM issues delete request when last kernel using certificate is removed. You still have to manually acknowledge request on reboot.
Got it, thanks!

Quote Originally Posted by nrickert View Post
I think the correct state should be that the enrolled keys are exactly those in "/etc/uefi/certs" plus any that you have manually add (such as a signing key that you created for yourself).
Personally I thought that only most recent one is enrolled, but it looks like the ones actually used are enrolled.