These containers must include only certificates from trusted Certificate Authorities. Administration of the certificates in these containers must be restricted.