RCC is a tiny portable tool which scans Windows and Firefox for potentially rogue certificates.
This matters because, if a particular root CA (certificate authority) is compromised, hackers could use it to make malicious sites or software appear safe.
Even though RCC is console-based, it couldn't be any easier to use. Double-click it, and a few seconds later the program highlights any certificates which may be a risk.
Don't place too much weight on this verdict. RCC isn't definitely saying "these items are dangerous", it's more about listing certificates which aren't part of the default trusted set, items which have been installed by other applications on your PC.
For example, on our test system RCC listed certificates from Kaspersky, Bitdefender, BullGuard and "Disk Master" developer Chengdu QILING. As these all related to packages which were or had been installed on the computer, they could be safely ignored.
If you see items you don't recognise, research them further to try and understand why they might be installed.
We launched the certificate manager (certmgr.msc), found and double-clicked the entry for Chengdu QILING (Trusted Root Certification Authorities\Certificates). This gave us information about the certificate, including a numeric ID - 2.16.840.1.113718.104.22.168.3 - we could search for online to gather more details. There's a right-click Delete option to remove anything worrying.
In Firefox, click Tools > Options > Advanced > Certificates > View > Authorities to see your certificates, and click "Delete or Distrust" to remove a selected item you've decided you don't need.
Keep in mind that deleting legitimate certificates can cause all kinds of odd problems: be very careful.
Even if you delete something malicious, this may not completely solve the problem. If there's active malware on your PC then it could reinstall the certificate later.
RCC offers a convenient way to check your system for root certificates outside of the usual Windows baseline, but keep in mind that it's just a starting point: it may require a lot more work to figure out whether a listed certificate is rogue, or not.