How to know which Certificates to leave in my browser, and which to remove

I would like to tighten up security a bit, so I am disabling unneeded certs from my browsers. For instance, the "WoSign CA Limited" cert from China I obviously don't need, yet "Thawte Consulting cc" I do.

Is there any way to see which certs I've actually used so that I could start making informed decisions? Take for example "Trustis Limited". On what basis would I decide to keep or leave it. Also, in addition to "Thawte Consulting cc" there is a cert for "thawte, Inc.". Might one be a spoof? How would I know?


Episode #481 of the Security Now! podcast touches on the related subject of Certificate Transparency. The question "which CA's can I trust?" is replaced by "which certificates is known to represent a given site?".

Once RFC 6962 is universally deployed it allows us to detect that the "Hong Kong Post office CA" (aka the Chineese Government) has issued a fraudulent certificate to www.gmail.com which your pre-2015 browser would otherwise happily accept.

The concept that hundreds of CA's are trusted to issue certificates to any site is crazy.