These containers must include only certificates from trusted Certificate Authorities. Administration of the certificates in these containers should be restricted.