I remember once running certificate scan on CIS but now don’t see that option anywhere so is it still somewhere?
It gets scanned during a rating scan or you can create your own scan profile and add the trusted root certificate store as the area to scan.
thx for reminder.