I just finished listening to episode 956 and had a thought about deleting expired CA certs.
In the episode, Steve said that expired CA certificates would "never be valid anyway" so removing them should be "error free." I don't think this is true when it comes to code signing. As long as the code was signed (and countersigned by a timestamp server) during the certificate validity period, it is still considered valid even at a future date when the certs have expired.
So I think removing expired CA certs could cause issues.
In the episode, Steve said that expired CA certificates would "never be valid anyway" so removing them should be "error free." I don't think this is true when it comes to code signing. As long as the code was signed (and countersigned by a timestamp server) during the certificate validity period, it is still considered valid even at a future date when the certs have expired.
So I think removing expired CA certs could cause issues.