during the local TLS cert generation (for the server component) its root CA cert is imported system-wide. it should be safe (but see below!) to not only remove the client and server certs during uninstall, but also this root CA cert, because the private root cert was temporary in the first place and it becomes useless when the other certificates are also removed. if necessary, a new set of certs can be generated and registered via the config dialog.

i've also noticed that when you remove the client/server certs, the dialog generates a set of new ones, including a new random root CA. if you do this for testing purposes, you end up with multiple useless root CA certs in your system wide configuration.

however, we explicitly decided to not remove the client/server certs automatically, because they could be custom ones and we didn't want to mess with that. we need a solution to keep custom certs in place, but maybe remove all certs (including the root CA) if they had been generated by GpgOL/Web automatically. maybe check if the issuer and use something reliable for that?