Have multiple root certificates on a keyring that are not be used by the client/personal certificate.

How do you determine which certificates are not needed?

Release : 16.0

Component :

Issue a TSS LIST(owningacid) DIGICERT(digicertname) CHAIN for the personal/client certificate.

CHAIN will reveal all certificates involved in the certificate chain for that personal certificate if they are on the security file.

If the keyring is only used for one application, then the others certificates on the keyring that dont appear in the TSS LIST CHAIN can be deleted. 

The keyring is searched sequentially for the certificates, so having unused certificate on the keyring slows the search.

If the keyring is used for other applications, the other certificates might be used by the other application and shouldnt be deleted.