Digital certificates are an important part of network security. Digital certificates provide two main functions. First, digital certificates provide a way for an entity to prove ownership of a public key. Second, digital certificates provide a way for a network entity such as a client, service, or network application, to prove the entity's identity. Certificate Authorities (“CAs”) play an important role by validating the identity of entities that request digital certificates, and by issuing digital certificates to entities that the Certificate Authority (“CA”) has validated. When a certificate authority issues a digital certificate, the certificate authority signs the digital certificate using a private key belonging to the certificate authority. A network client can verify the identity of a network service by requesting the digital certificate belonging to the network service. If the digital certificate provided by the network service is signed by the certificate authority, and the network client is configured to trust the certificate authority, the network client can verify the signatures on the digital certificate to confirm the identity of the network service.
Identifying a set of trusted certificate authorities is a difficult problem. Network clients can be configured to trust a particular certificate authority by identifying the particular certificate authority in a trust store. If a network client trusts a particular certificate authority, the digital certificates issued by the particular certificate authority will be trusted by the network client. Some applications, such as some web browsers, include trust stores with large numbers of certificate authorities, and each certificate authority can potentially issue thousands of digital certificates. As a result, it can be very difficult for a network client to identify which certificate authorities should be trusted or to specify which digital certificates issued by a particular authority should be trusted.