In Metro Security there is a usecase which requires that the Server store the Client Certificates and Vice-Versa. In such situations today we store the client certificate in the Server Truststore and similarly the Server Certificate is stored in the Client Truststore. Storing non-CA certificates in TrustStore is not a good idea from a security perspective.
The Java CertStore (http://download.oracle.com/javase/6/docs/api/java/security/cert/CertStore.html) is an appropriate place to store such other-party non-CA certificates. The JSR196 CertStoreCallback in GlassFish however returns the GF truststore as the CertStore.
As a first step we would like to introduce a new keystore in the domain config that will be exposed as a CertStore via the JSR196 Default CallbackHandler in GlassFish. In a later release (if developers really ask for it) we could think of a CertStore configuration element under security-service. That would allow more flexibility on what the CertStore backend really is (for example an LDAP). Today Metro developers have the option of overriding the whole GlassFish JSR-196 CallbackHandler, and this would allow them to have any arbitary CertStore implementation.