1 of 1 people found this helpful
Here's a snippet from the following KB article:
The following are examples of certificates that are generally considered safe to delete:
Unknown foreign certificates
Certificates with a key-length of 1024 bits or smaller
Thanks for the KB link, that information was helpful, but unfortunately didn't resolve the issue for us. From the certificate manager I was able to sort the certificates in the Third-Party Root Certification Authorities store by expiration date and delete the expired ones, but I was still left with 310 certificates - well over the 200 limit, and I could find no way way to find and/or delete certificates with a key-length of 1024 bits and smaller. Also, the KB article suggests deleting "unknown foreign certificates", but I was not sure how one identifies these. I saw many CA names listed that I'm not personally familiar with, or that have apparently non-english names, but I don't think that necessarily qualifies them as unneeded.
After some research, I discovered that MS has released a KB about this very specific issue:
In it, they acknowledge that a December root certificate update package intended for clients was mistakenly offered for servers for a short time. This update package contained over 330 Third-Party Root CAs and creates this issue. The recommended fix is to delete all Third-Party Root Certificate Authorities and allow them to be re-applied by Windows Update (after expiring the bad 931125 update).
See also, Windows root certificate program members