The PKCS #11 API can be used to allow all applications in the same operating system to access shared cryptographic keys and certificates in a uniform way, as in Figure 5.1. That way applications could load their trusted certificate list, as well as user certificates from a common PKCS #11 module. Such a provider is the p11-kit trust storage module12 and it provides access to the trusted Root CA certificates in a system. That provides a more dynamic list of Root CA certificates, as opposed to a static list in a file or directory.
That store, allows for blacklisting of CAs or certificates, as well as categorization of the Root CAs (Web verification, Code signing, etc.), in addition to restricting their purpose via stapled extensions13. GnuTLS will utilize the p11-kit trust module as the default trust store if configured to; i.e., if ’–with-default-trust-store-pkcs11=pkcs11:’ is given to the configure script.
See the ’Restricting the scope of CA certificates’ post at http://nmav.gnutls.org/2016/06/restricting-scope-of-ca-certificates.html