Is a client truststore optional in one-way TLS? What about mTLS?

Trust relationships in TLS are determined by truststores, which hold the CA certificates you trust to verify a peer’s certificate. In one-way TLS, the client checks the server’s certificate against its trusted CAs. If your runtime already provides a suitable default truststore (or the server’s cert is already trusted by that default), you don’t need a separate client truststore. In mutual TLS, both sides authenticate each other: the client verifies the server’s certificate, and the server verifies the client’s. Here again you can rely on the environment’s default trusted CAs, or supply a dedicated truststore if you must trust additional CAs beyond what’s already configured. So, a client truststore is optional in both one-way TLS and mTLS; it’s only required if you need to trust something beyond the existing trust anchors.