For sake of repeatibility, there are some common drivers that could serve as examples.
For instance, the intel v9.4.1027 chipset drivers.  They include 2000 in the Security Catalog, yet they don't appear to install (manually) without latter certs.
  (win2k usb non-functional due to WHQL-signed editing errors - also take longer to verify than older sigs - i had to go file, by file to check & ... nevermind)
(from latest DP_Chipset_wnt5 nightly): 
Certificate Issues:
 - i\ drivers from 2013 and newer require "Microsoft Root Certificate Authority" CA (not incl. in W2k)
 - i\6\HECI*.sys SymantecTimeStampingServicesCA-G2 (issued by GeoTrustGlobalCA)
 - TM\Z\I386\tcm.sys has an expired certificate issued by zteic design co.,ltd
 - VB\Balloon.*, VIOSER.*, blnsvr.exe, U3\FLxHCI*.sys
     VerisignClass3PublicPrimaryCertificationAuthority-G5 (issued by Microsoft Code Verification Root)
There are also intel "chipset" drivers in the latest nightly for MassStorage, yet have included 2k versions that need not newer certs.
Certificate Issues - XP-SP3 (before any updates):
         - recommend RootsUpd.exe is added to $OEM$\cmdlines.txt
		        or added to winnt.sif @ [GUIRunOnce] section DetatchedProgram="" (include Arguments="")
 - AM\a\1\rccfg.sys & rcraid.sys, AM\a\2\rcraid.sys, As\1\asahci32.sys & asstor32.sys,
   C\HpAHCIsr.sys, I\0\iSSetup.sys, VB\VIOSTOR.SYS
      VerisignClass3PublicPrimaryCertificationAuthority-G5 (issued by Microsoft Code Verification Root)
 - H\r750.*
      SymantecTimeStampingServicesCA-G2 (issued by GeoTrustGlobalCA)
 - I\ drivers from 2013 and newer require "Microsoft Root Certificate Authority" CA (not incl. in W2k)
 - V\VIDEX32.SYS, xfilt.sys
      VIATechnologiesInc. - certificate has expired or is not yet valid
Certificate Issues - XP-SP3 (post-updates):
 - L\msas2k3.* LSI Certificate revoked
Also, many of the latest LAN drivers require a selection of certificates for validation.
(from latest DP_LAN_wnt5 nightly): 
Certificate Issues:
 - newer drivers (incl. Atheros l1c51x86, Broadcomm bnxcdx, Intel e1c5132, e1e5132, e1q5132,e1r5132, ianswxp, ixn5132,
     ixt5132, Marvel yk51x86, Realtek rtu30nicxp & rtenic/rtenicxp, SMSC netx500 .cats, VirtualBox netkvm)
        use "Microsoft Root Certificate Authority" for digital signing (not included in w2k).
     Atheros l1c51x86, Broadcomm bnxcdx, Intel e1c5132, e1e5132, e1q5132,e1r5132, ianswxp, ixn5132,
     ixt5132, Marvel yk51x86, Realtek rtu30nicxp & rtenic/rtenicxp, & VirtualBox netkvm (etc) rely upon other Certificates not included in xp/2k3
That is, if i have that right.
The line about adding rootsupd.exe to one's cmdlines.txt seem incorrect, as that garners errors in setuperr.log, as does expanding rootsupd and manually executing it in a rootsupd.cmd (listed in cmdlines.txt).
Also, i have not yet been able to discern if they install @T33-6 like hoped.  Have kept logs....
						Last edited by TechDud (2014-10-19 18:03:00)