What is a root store?

A root store is a list of trusted root CA certificates. A certificate authority (CA) uses one or more root certificates as trust anchors for the hierarchy of certificates the CA issues. A public-facing root store is usually maintained under the authority of a major software provider, which distributes their root store along with software which depends upon it to determine trust. Many providers of browsers and operating systems operate their own root store programs, and CAs may apply to be accepted into a root store using the criteria of that program. The Mozilla Project, for example, maintains a root store which is used by their Firefox browser and Thunderbird email client, and a CA may apply for acceptance which meets the requirements of the Mozilla Root Store Policy. A CA may also be removed from a root store if it fails to meet the expected standards of that program.

Firefox Root Store
Screenshot of Firefox’s root store, showing built-in SSL.com root certificates and two cached intermediate certificates.

An important point to remember is that each root store is independent of the other. Mozilla, Microsoft, Apple and Google each maintain their own root stores. Many other software providers and services, however, may adopt or allow use of one of these major root stores in their own products. For instance, the Opera browser (which used to operate a root store of its own) now defers to the root store of the underlying operating system for versions released since 2013.

Other organizations may also maintain root stores for their own purposes – an energy sector institution like the New York Independent System Operator (NYISO) might maintain a root store to control and secure access to energy trading and monitoring systems.