There isn't a way in Top Secret to track what certificates are or aren't being used. Top Secret does have a SAFCRRPT utility that can be used to display the certificate hierarchy in the database. Optionally, it will display each certificate, its signing certificate, the certificates that it has signed, and all of the information provided with the CHKCERT and LIST commands.
The output can be taylored to display certificates:
- For a specified user
- For a specified key ring
- That have not expired
- That have a key in ICSF
- That are currently trusted
- That will expire within a specified number of days
For more information on the SAFCRRPT utility, please see the following link:
Certificate UtilityMember CERTUTIL in the Top Secret r16 CAKOJCL0 library contains sample jcl for the utility.