@dominikj, that is a tricky question although one we have attempted at our organization. It is reasonably easy to discover what is in Windows machine cert store via certutil or powershell. Results from those outputs can be written to logs and parsed with an analysis.
Things get more difficult from there. A lot of it depends on how homogeneous your environment is. We have a bit of everything, so it is challenging. Discovering and reporting on Java trust and cert stores, whether on Windows or *nix is harder, but can be done if you know where they are located and what the passwords are for them. Java’s Keytool has syntax for that.
keytool.exe -list -v -keystore path\IdentityStore.jks -storepass yourpasswordhere > path\file.log
We have conventions for our Java paths, names, and passwords to make it easier to manage thousands of them. Those keytool logs can then also be consumed in an analysis to lift out the items of interest.
These steps work well in a very structured homogeneous environment.
Another approach, which we also use, is to interrogate common secure ports such as 443, 8443, etc by running a script with something like curl, wget, or powershell. This works ok for known and common ports. I’ve run into several odd secure ports in our own environment that don’t fit the mold. Ports like 17004. You’ll have to partner with apps teams to discover those.