The certificate trust store provides a mechanism for trusting self-signed root certificates from internal and other organizations' certificate authorities (CAs). It is essentially a container for certificate trust lists. Provisioning certificate stores with only the certificate issuers trusted by the organization is critical. The stores must also be locked down so that they cannot be updated without a secure process. Relying parties must consult their certificate trust store to determine whether a particular submitted certificate is trusted.

Figure 1 shows that there must be mutual trust between a consumer and provider by trusting the corresponding CAs that issued each other's identity certificate.

Figure 1 - An example of mutual trust between the consumer trust store and provider trust store.