Deleting CAs From System-wide Trust-list

In our enterprise, one of the security lockdowns applied to Windows systems is the removal of all but a few, especially-trusted public CAs (along with adding internal CAs to the trust-list).

It's easy enough to add CAs to the host-wide trust-list, but I'm having a heck of a time finding adequate tutelage via Google. I'd tried using certutil to do it, but certutil keeps telling me that the bundle file generated by the update-ca-trust tool is in an unusable format.

Our systems auditors haven't come hunting, yet, for us to align the Red Hat systems' CA trusts with our Windows systems (probably because the verification tools in OpenSSL tend to suck - particularly when it comes to bundles). But, if they do come for my Red Hat systems, I want to have a easily scriptable fix ready to go.

Halp?