FWIW, here's what I just did on my (Arch) Linux machine:
$ for f in /etc/ssl/certs/*.pem; do sudo ln -sfn "$f" /etc/ca-certificates/trust-source/blacklist/; done
$ sudo update-ca-trust
This will block all currently installed CAs (as well as double-block some, but that doesn't really matter). You then need to add them back in.
Restart your browser, and go to websites you access frequently (change them to https:// if necessary). Click the (broken) padlock and read off what CA they used; remove the corresponding .pem file from the blacklist directory. Some might be signed by intermediate certs and thus hard to find, but SSL Hopper has a great chain inspection tool at https://www.sslshopper.com/ssl-checker.html you can use to identify the topmost CA cert you need to whitelist.
After you're done, run "sudo update-ca-trust" again, and restart your browser. All normal sites should work, and you've gotten rid of ~160 root certs.
If it's of interest to anyone, here are the ones I whitelisted to get all sites I bothered to try up an running:
EDIT: Note that this is not a perfect solution; the CAs you've whitelisted could still go bad, and you'll need to blacklist any new CA certs that are added with subsequent ca-certificates updates. But it's a start.
Be careful, this has no effect if you're using firefox/iceweasel. They bring their own set of trusted CAs and ignore all changes on the OS trust store.
You've said the start by blacklisting all SSL, then to inspect the SSL chain using SSL Shopper, but the link to SSL Shopper is using https. So (at least the first time), you need to inspect yet another SSL cert before you can inspect the other SSL cert you were looking at. :P
(FYI, looks like SSL Shopper uses GoDaddy for SSL)
Restart your browser, and go to websites you access frequently (change them to https:// if necessary). Click the (broken) padlock and read off what CA they used; remove the corresponding .pem file from the blacklist directory. Some might be signed by intermediate certs and thus hard to find, but SSL Hopper has a great chain inspection tool at https://www.sslshopper.com/ssl-checker.html you can use to identify the topmost CA cert you need to whitelist.
After you're done, run "sudo update-ca-trust" again, and restart your browser. All normal sites should work, and you've gotten rid of ~160 root certs.
If it's of interest to anyone, here are the ones I whitelisted to get all sites I bothered to try up an running:
EDIT: Note that this is not a perfect solution; the CAs you've whitelisted could still go bad, and you'll need to blacklist any new CA certs that are added with subsequent ca-certificates updates. But it's a start.