diff --git a/lib/hx509/hx509.h b/lib/hx509/hx509.h
index 75d64734b..6bd36e98b 100644
--- a/lib/hx509/hx509.h
+++ b/lib/hx509/hx509.h
@@ -162,6 +162,7 @@ typedef enum {
 
 /* flags to hx509_certs_store */
 #define HX509_CERTS_STORE_NO_PRIVATE_KEYS		0x04
+#define HX509_CERTS_STORE_NO_ROOTS			0x08
 
 
 /* flags to hx509_set_error_string */
diff --git a/lib/hx509/ks_file.c b/lib/hx509/ks_file.c
index 880668b45..6d8c77bd2 100644
--- a/lib/hx509/ks_file.c
+++ b/lib/hx509/ks_file.c
@@ -550,6 +550,14 @@ store_func(hx509_context context, void *ctx, hx509_cert c)
     heim_octet_string data;
     int ret = 0;
 
+    if ((sc->store_flags & HX509_CERTS_STORE_NO_ROOTS)) {
+        int self_signed = 0;
+
+        ret = hx509_cert_is_self_signed(context, c, &self_signed);
+        if (ret || self_signed)
+            return ret;
+    }
+
     if (hx509_cert_have_private_key_only(c)) {
         data.length = 0;
         data.data = NULL;
diff --git a/lib/hx509/ks_p12.c b/lib/hx509/ks_p12.c
index 953ce7880..1e9a92a4f 100644
--- a/lib/hx509/ks_p12.c
+++ b/lib/hx509/ks_p12.c
@@ -525,6 +525,14 @@ store_func(hx509_context context, void *d, hx509_cert c)
     size_t size;
     int ret;
 
+    if ((ctx->store_flags & HX509_CERTS_STORE_NO_ROOTS)) {
+        int is_root = 0;
+
+        ret = hx509_cert_is_root(context, c, &is_root);
+        if (ret || is_root)
+            return ret;
+    }
+
     memset(&os, 0, sizeof(os));
     memset(&cb, 0, sizeof(cb));