two things to report here:

- i did just leave the ip certificates in the system, what should i care if those nowhere in use were soon to be invalid. i thought.

the day they were no longer valid, my default dns certificates were marked invalid as well! result of that: quite a few ldap-authenticating applications were no longer willing to do so. because of the urgency i unfortunately choose a sledgehammer approach and deleted all dns certificates as well as ip certificates and let them have been recreated by imanager. so, i did not look into a default dns certificate neither save one
so: why those valid default dns certs were marked invalid remains a mystery to me. i´d love to hear a theory which might explain what i´ve seen.

- and secondly: deleted default ip certificates won´t get recreated (at least in my tree). ever.