Hi Bob,
I assume you are referring to the Root CA store. These are basically the CA's that your device trusts to sign for the authenticity of other certificates. MY understanding of the Lenevo Superfish iisue wasn't that there was malicious code in the cert, but rather by having the cert in the trustes root CA store, users were unknowingly trusting all certs signed by the SuperFish cert. Simply removing it from the store, will prevent the device from automatically trusting a cert signed by tha CA. I don't know of any software that scans for "bad" certs. I know with Firefox, you can enable OCSP checking for certs.
I hope this helped.
Rob
This is a follow up question to the SuperFish removal noted at http://forums.cnet.com/7723-6132_102-636736/superfish-fix-for-lenovo-owners/?tag=rb_content;contentMain
There are dozens of certificates listed in Certmgr and I haven't found a Bleepingcomputer or other article on this area. Yes, I did google a few entries but what other entries should be considered bad?
Is there a certificate scanner in apps like MalwareBytes?
Bob

Chowhound
Comic Vine
GameFAQs
GameSpot
Giant Bomb
TechRepublic