I have done this by hand by manually "untrusting" all CAs and then enabling them one by one as I go along. I never found a good way to move the lists of CAs across browsers. However for ssl-certificates in Debian propagating the list across different machines was a breeze with etckeeper. Being able to apt-get install cawatch would be a lot easier.

Do you really want to rely on China's CNIC to make the decision if you should trust a certificate?