Is there a tool for auditing my root certificates?
Is there any tool out there that will monitor my system's use of root CAs? So far I have not found anything, and so I am hoping that this community will know if such a tool exists.
For background, I use Windows, which comes with its own certificate store, Chrome (uses the Windows certs), and Firefox (uses its own trusted certificates).
I live in an English language country, and am unlikely ever to use a large portion of the Internet. So there are root CAs I do not think I need to trust; Hong Kong Post Office comes to mind as one I would rather not trust.
What I don't know is which root certificates my system and browsers have interacted with. It is always possible that some Very Important Site uses the Hong Kong PO as its signing authority, and I have no way of knowing without stumbling upon that site after deleting the certificate.
The ideal solution would be to track which root CAs are being referred to by the system/browser, so over time I could remove trust from the ones that are never used by the OS or the browser/s. I would potentially stumble across occasional errors when I have removed particular certificates that some random website or system tool uses, but could presumably just reinstall the relevant certificate if I cared enough about the error.
Oh - according to this answer Windows will automatically install certificates it trusts as needed (although this can allegedly be disabled). That suggests that I cannot easily control my own level of trust.
