And when you want to run a public one, you should learn at least everything that cacert did. They tried hard and still never got included. https://www.cacert.org/ That effort seems to be dying and it's been years since anyone asked me to authenticate them.

Some history here. http://wiki.cacert.org/InclusionStatus And that's before root stores had to deal with Honest Achmed's Used Cars and Certificates.