diff --git a/src/config_new.c b/src/config_new.c
index 8cea603c..4cefadf6 100644
--- a/src/config_new.c
+++ b/src/config_new.c
@@ -911,7 +911,7 @@ nc_server_config_new_ch_del_endpt(const char *client_name, const char *endpt_nam
 }
 
 API int
-nc_server_config_new_keystore_asym_key(const struct ly_ctx *ctx, const char *name, const char *privkey_path,
+nc_server_config_new_keystore_asym_key(const struct ly_ctx *ctx, const char *asym_key_name, const char *privkey_path,
         const char *pubkey_path, struct lyd_node **config)
 {
     int ret = 0;
@@ -920,7 +920,7 @@ nc_server_config_new_keystore_asym_key(const struct ly_ctx *ctx, const char *nam
     NC_PUBKEY_FORMAT pubkey_type;
     const char *privkey_format, *pubkey_format;
 
-    NC_CHECK_ARG_RET(NULL, ctx, name, privkey_path, config, 1);
+    NC_CHECK_ARG_RET(NULL, ctx, asym_key_name, privkey_path, config, 1);
 
     /* get the keys as a string from the given files */
     ret = nc_server_config_new_get_keys(privkey_path, pubkey_path, &privkey, &pubkey, &privkey_type, &pubkey_type);
@@ -944,25 +944,25 @@ nc_server_config_new_keystore_asym_key(const struct ly_ctx *ctx, const char *nam
     }
 
     ret = nc_config_new_create(ctx, config, pubkey_format, "/ietf-keystore:keystore/asymmetric-keys/"
-            "asymmetric-key[name='%s']/public-key-format", name);
+            "asymmetric-key[name='%s']/public-key-format", asym_key_name);
     if (ret) {
         goto cleanup;
     }
 
     ret = nc_config_new_create(ctx, config, pubkey, "/ietf-keystore:keystore/asymmetric-keys/"
-            "asymmetric-key[name='%s']/public-key", name);
+            "asymmetric-key[name='%s']/public-key", asym_key_name);
     if (ret) {
         goto cleanup;
     }
 
     ret = nc_config_new_create(ctx, config, privkey_format, "/ietf-keystore:keystore/asymmetric-keys/"
-            "asymmetric-key[name='%s']/private-key-format", name);
+            "asymmetric-key[name='%s']/private-key-format", asym_key_name);
     if (ret) {
         goto cleanup;
     }
 
     ret = nc_config_new_create(ctx, config, privkey, "/ietf-keystore:keystore/asymmetric-keys/"
-            "asymmetric-key[name='%s']/cleartext-private-key", name);
+            "asymmetric-key[name='%s']/cleartext-private-key", asym_key_name);
     if (ret) {
         goto cleanup;
     }
@@ -974,19 +974,56 @@ nc_server_config_new_keystore_asym_key(const struct ly_ctx *ctx, const char *nam
 }
 
 API int
-nc_server_config_new_del_keystore_asym_key(const char *name, struct lyd_node **config)
+nc_server_config_new_del_keystore_asym_key(const char *asym_key_name, struct lyd_node **config)
 {
     NC_CHECK_ARG_RET(NULL, config, 1);
 
-    if (name) {
-        return nc_config_new_delete(config, "/ietf-keystore:keystore/asymmetric-keys/asymmetric-key[name='%s']", name);
+    if (asym_key_name) {
+        return nc_config_new_delete(config, "/ietf-keystore:keystore/asymmetric-keys/asymmetric-key[name='%s']", asym_key_name);
     } else {
         return nc_config_new_delete(config, "/ietf-keystore:keystore/asymmetric-keys/asymmetric-key");
     }
 }
 
 API int
-nc_server_config_new_truststore_pubkey(const struct ly_ctx *ctx, const char *bag_name, const char *pubkey_name,
+nc_server_config_new_keystore_cert(const struct ly_ctx *ctx, const char *asym_key_name, const char *cert_name,
+        const char *cert_path, struct lyd_node **config)
+{
+    int ret = 0;
+    char *cert = NULL;
+
+    NC_CHECK_ARG_RET(NULL, ctx, asym_key_name, cert_name, cert_path, config, 1);
+
+    /* get cert data */
+    ret = nc_server_config_new_read_certificate(cert_path, &cert);
+    if (ret) {
+        goto cleanup;
+    }
+
+    ret = nc_config_new_create(ctx, config, cert, "/ietf-keystore:keystore/asymmetric-keys/"
+            "asymmetric-key[name='%s']/certificates/certificate[name='%s']/cert-data", asym_key_name, cert_name);
+
+cleanup:
+    free(cert);
+    return ret;
+}
+
+API int
+nc_server_config_new_del_keystore_cert(const char *asym_key_name, const char *cert_name, struct lyd_node **config)
+{
+    NC_CHECK_ARG_RET(NULL, asym_key_name, config, 1);
+
+    if (cert_name) {
+        return nc_config_new_delete(config, "/ietf-keystore:keystore/asymmetric-keys/asymmetric-key[name='%s']/"
+                "certificates/certificate[name='%s']", asym_key_name, cert_name);
+    } else {
+        return nc_config_new_delete(config, "/ietf-keystore:keystore/asymmetric-keys/asymmetric-key[name='%s']/"
+                "certificates/certificate", asym_key_name);
+    }
+}
+
+API int
+nc_server_config_new_truststore_pubkey(const struct ly_ctx *ctx, const char *pub_bag_name, const char *pubkey_name,
         const char *pubkey_path, struct lyd_node **config)
 {
     int ret = 0;
@@ -994,7 +1031,7 @@ nc_server_config_new_truststore_pubkey(const struct ly_ctx *ctx, const char *bag
     NC_PUBKEY_FORMAT pubkey_format;
     const char *format;
 
-    NC_CHECK_ARG_RET(NULL, ctx, bag_name, pubkey_name, pubkey_path, config, 1);
+    NC_CHECK_ARG_RET(NULL, ctx, pub_bag_name, pubkey_name, pubkey_path, config, 1);
 
     ret = nc_server_config_new_get_pubkey(pubkey_path, &pubkey, &pubkey_format);
     if (ret) {
@@ -1009,13 +1046,13 @@ nc_server_config_new_truststore_pubkey(const struct ly_ctx *ctx, const char *bag
     }
 
     ret = nc_config_new_create(ctx, config, format, "/ietf-truststore:truststore/public-key-bags/"
-            "public-key-bag[name='%s']/public-key[name='%s']/public-key-format", bag_name, pubkey_name);
+            "public-key-bag[name='%s']/public-key[name='%s']/public-key-format", pub_bag_name, pubkey_name);
     if (ret) {
         goto cleanup;
     }
 
     ret = nc_config_new_create(ctx, config, pubkey, "/ietf-truststore:truststore/public-key-bags/"
-            "public-key-bag[name='%s']/public-key[name='%s']/public-key", bag_name, pubkey_name);
+            "public-key-bag[name='%s']/public-key[name='%s']/public-key", pub_bag_name, pubkey_name);
     if (ret) {
         goto cleanup;
     }
@@ -1026,17 +1063,57 @@ nc_server_config_new_truststore_pubkey(const struct ly_ctx *ctx, const char *bag
 }
 
 API int
-nc_server_config_new_del_truststore_pubkey(const char *bag_name,
+nc_server_config_new_del_truststore_pubkey(const char *pub_bag_name,
         const char *pubkey_name, struct lyd_node **config)
 {
-    NC_CHECK_ARG_RET(NULL, bag_name, config, 1);
+    NC_CHECK_ARG_RET(NULL, pub_bag_name, config, 1);
 
     if (pubkey_name) {
         return nc_config_new_delete(config, "/ietf-truststore:truststore/public-key-bags/"
-                "public-key-bag[name='%s']/public-key[name='%s']", bag_name, pubkey_name);
+                "public-key-bag[name='%s']/public-key[name='%s']", pub_bag_name, pubkey_name);
     } else {
         return nc_config_new_delete(config, "/ietf-truststore:truststore/public-key-bags/"
-                "public-key-bag[name='%s']/public-key", bag_name);
+                "public-key-bag[name='%s']/public-key", pub_bag_name);
+    }
+}
+
+API int
+nc_server_config_new_truststore_cert(const struct ly_ctx *ctx, const char *cert_bag_name, const char *cert_name,
+        const char *cert_path, struct lyd_node **config)
+{
+    int ret = 0;
+    char *cert = NULL;
+
+    NC_CHECK_ARG_RET(NULL, ctx, cert_bag_name, cert_name, cert_path, config, 1);
+
+    ret = nc_server_config_new_read_certificate(cert_path, &cert);
+    if (ret) {
+        goto cleanup;
+    }
+
+    ret = nc_config_new_create(ctx, config, cert, "/ietf-truststore:truststore/certificate-bags/"
+            "certificate-bag[name='%s']/certificate[name='%s']/cert-data", cert_bag_name, cert_name);
+    if (ret) {
+        goto cleanup;
+    }
+
+cleanup:
+    free(cert);
+    return ret;
+}
+
+API int
+nc_server_config_new_del_truststore_cert(const char *cert_bag_name,
+        const char *cert_name, struct lyd_node **config)
+{
+    NC_CHECK_ARG_RET(NULL, cert_bag_name, config, 1);
+
+    if (cert_name) {
+        return nc_config_new_delete(config, "/ietf-truststore:truststore/certificate-bags/"
+                "certificate-bag[name='%s']/certificate[name='%s']", cert_bag_name, cert_name);
+    } else {
+        return nc_config_new_delete(config, "/ietf-truststore:truststore/certificate-bags/"
+                "certificate-bag[name='%s']/certificate", cert_bag_name);
     }
 }
 
diff --git a/src/config_new_tls.c b/src/config_new_tls.c
index 1ba72ddf..d80af8a2 100644
--- a/src/config_new_tls.c
+++ b/src/config_new_tls.c
@@ -181,6 +181,38 @@ nc_server_config_new_ch_tls_del_server_certificate(const char *client_name, cons
             "certificate/inline-definition", client_name, endpt_name);
 }
 
+API int
+nc_server_config_new_tls_keystore_reference(const struct ly_ctx *ctx, const char *endpt_name, const char *asym_key_ref,
+        const char *cert_ref, struct lyd_node **config)
+{
+    int ret = 0;
+
+    NC_CHECK_ARG_RET(NULL, ctx, endpt_name, asym_key_ref, cert_ref, config, 1);
+
+    /* create asymmetric key pair reference */
+    ret = nc_config_new_create(ctx, config, asym_key_ref, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/"
+            "tls/tls-server-parameters/server-identity/certificate/keystore-reference/asymmetric-key", endpt_name);
+    if (ret) {
+        goto cleanup;
+    }
+
+    /* create cert reference, this cert has to belong to the asym key */
+    ret = nc_config_new_create(ctx, config, cert_ref, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/"
+            "tls/tls-server-parameters/server-identity/certificate/keystore-reference/certificate", endpt_name);
+
+cleanup:
+    return ret;
+}
+
+API int
+nc_server_config_new_tls_del_keystore_reference(const char *endpt_name, struct lyd_node **config)
+{
+    NC_CHECK_ARG_RET(NULL, endpt_name, config, 1);
+
+    return nc_config_new_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/"
+            "tls/tls-server-parameters/server-identity/certificate/keystore-reference", endpt_name);
+}
+
 static int
 _nc_server_config_new_tls_client_certificate(const struct ly_ctx *ctx, const char *tree_path,
         const char *cert_path, struct lyd_node **config)
@@ -295,6 +327,25 @@ nc_server_config_new_ch_tls_del_client_certificate(const char *client_name, cons
     }
 }
 
+API int
+nc_server_config_new_tls_client_cert_truststore_ref(const struct ly_ctx *ctx, const char *endpt_name,
+        const char *cert_bag_ref, struct lyd_node **config)
+{
+    NC_CHECK_ARG_RET(NULL, ctx, endpt_name, cert_bag_ref, config, 1);
+
+    return nc_config_new_create(ctx, config, cert_bag_ref, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/"
+            "tls-server-parameters/client-authentication/ee-certs/truststore-reference", endpt_name);
+}
+
+API int
+nc_server_config_new_tls_del_client_cert_truststore_ref(const char *endpt_name, struct lyd_node **config)
+{
+    NC_CHECK_ARG_RET(NULL, endpt_name, config, 1);
+
+    return nc_config_new_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/"
+            "tls-server-parameters/client-authentication/ee-certs/truststore-reference", endpt_name);
+}
+
 API int
 nc_server_config_new_tls_client_ca(const struct ly_ctx *ctx, const char *endpt_name, const char *cert_name,
         const char *cert_path, struct lyd_node **config)
@@ -386,6 +437,25 @@ nc_server_config_new_ch_tls_del_client_ca(const char *client_name, const char *e
     }
 }
 
+API int
+nc_server_config_new_tls_client_ca_truststore_ref(const struct ly_ctx *ctx, const char *endpt_name,
+        const char *cert_bag_ref, struct lyd_node **config)
+{
+    NC_CHECK_ARG_RET(NULL, ctx, endpt_name, cert_bag_ref, config, 1);
+
+    return nc_config_new_create(ctx, config, cert_bag_ref, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/"
+            "tls-server-parameters/client-authentication/ca-certs/truststore-reference", endpt_name);
+}
+
+API int
+nc_server_config_new_tls_del_client_ca_truststore_ref(const char *endpt_name, struct lyd_node **config)
+{
+    NC_CHECK_ARG_RET(NULL, endpt_name, config, 1);
+
+    return nc_config_new_delete(config, "/ietf-netconf-server:netconf-server/listen/endpoint[name='%s']/tls/"
+            "tls-server-parameters/client-authentication/ca-certs/truststore-reference", endpt_name);
+}
+
 static const char *
 nc_config_new_tls_maptype2str(NC_TLS_CTN_MAPTYPE map_type)
 {
diff --git a/src/server_config.h b/src/server_config.h
index b53036ac..34562915 100644
--- a/src/server_config.h
+++ b/src/server_config.h
@@ -126,8 +126,8 @@ int nc_server_config_new_del_endpt(const char *endpt_name, struct lyd_node **con
  * @brief Creates new YANG data nodes for an asymmetric key in the keystore.
  *
  * @param[in] ctx libyang context.
- * @param[in] name Name of the asymmetric key pair.
- * This name is used to reference the key pair.
+ * @param[in] asym_key_name Identifier of the asymmetric key pair.
+ * This identifier is used to reference the key pair.
  * @param[in] privkey_path Path to a private key file.
  * @param[in] pubkey_path Optional path a public key file.
  * If not supplied, it will be generated from the private key.
@@ -135,46 +135,109 @@ int nc_server_config_new_del_endpt(const char *endpt_name, struct lyd_node **con
  * Otherwise the new YANG data will be added to the previous data and may override it.
  * @return 0 on success, non-zero otherwise.
  */
-int nc_server_config_new_keystore_asym_key(const struct ly_ctx *ctx, const char *name, const char *privkey_path,
+int nc_server_config_new_keystore_asym_key(const struct ly_ctx *ctx, const char *asym_key_name, const char *privkey_path,
         const char *pubkey_path, struct lyd_node **config);
 
 /**
  * @brief Deletes a keystore's asymmetric key from the YANG data.
  *
- * @param[in] name Optional identifier of the asymmetric key to be deleted.
+ * @param[in] asym_key_name Optional identifier of the asymmetric key to be deleted.
  * If NULL, all of the asymmetric keys in the keystore will be deleted.
  * @param[in,out] config Configuration YANG data tree.
  * @return 0 on success, non-zero otherwise.
  */
-int nc_server_config_new_del_keystore_asym_key(const char *name, struct lyd_node **config);
+int nc_server_config_new_del_keystore_asym_key(const char *asym_key_name, struct lyd_node **config);
+
+/**
+ * @brief Creates new YANG data nodes for a certificate in the keystore.
+ *
+ * A certificate can not exist without its asymmetric key, so you must call ::nc_server_config_new_keystore_asym_key()
+ * either before or after calling this with the same identifier for the asymmetric key.
+ *
+ * An asymmetric key pair can have zero or more certificates associated with this key pair, however a certificate must
+ * have exactly one key pair it belongs to.
+ *
+ * @param[in] ctx libyang context.
+ * @param[in] asym_key_name Arbitrary identifier of the asymmetric key.
+ * If an asymmetric key pair with this name already exists, its contents will be changed.
+ * @param[in] cert_name Arbitrary identifier of the key pair's certificate.
+ * If a certificate with this name already exists, its contents will be changed.
+ * @param[in] cert_path Path to the PEM encoded certificate file.
+ * @param[in,out] config Configuration YANG data tree. If *config is NULL, it will be created.
+ * Otherwise the new YANG data will be added to the previous data and may override it.
+ * @return 0 on success, non-zero otherwise.
+ */
+int nc_server_config_new_keystore_cert(const struct ly_ctx *ctx, const char *asym_key_name, const char *cert_name,
+        const char *cert_path, struct lyd_node **config);
+
+/**
+ * @brief Deletes a keystore's certificate from the YANG data.
+ *
+ * @param[in] asym_key_name Identifier of an existing asymmetric key pair.
+ * @param[in] cert_name Optional identifier of a certificate to be deleted.
+ * If NULL, all of the certificates belonging to the asymmetric key pair will be deleted.
+ * @param[in,out] config Configuration YANG data tree. If *config is NULL, it will be created.
+ * Otherwise the new YANG data will be added to the previous data and may override it.
+ * @return 0 on success, non-zero otherwise.
+ */
+int nc_server_config_new_del_keystore_cert(const char *asym_key_name, const char *cert_name, struct lyd_node **config);
 
 /**
  * @brief Creates new YANG data nodes for a public key in the truststore.
  *
  * @param[in] ctx libyang context.
- * @param[in] bag_name Arbitrary identifier of the public key bag.
+ * @param[in] pub_bag_name Arbitrary identifier of the public key bag.
  * This name is used to reference the public keys in the bag.
  * If a public key bag with this name already exists, its contents will be changed.
  * @param[in] pubkey_name Arbitrary identifier of the public key.
- * If a public key with this name already exists, its contents will be changed.
+ * If a public key with this name already exists in the given bag, its contents will be changed.
  * @param[in] pubkey_path Path to a file containing a public key.
  * @param[in,out] config Configuration YANG data tree. If *config is NULL, it will be created.
  * Otherwise the new YANG data will be added to the previous data and may override it.
  * @return 0 on success, non-zero otherwise.
  */
-int nc_server_config_new_truststore_pubkey(const struct ly_ctx *ctx, const char *bag_name, const char *pubkey_name,
+int nc_server_config_new_truststore_pubkey(const struct ly_ctx *ctx, const char *pub_bag_name, const char *pubkey_name,
         const char *pubkey_path, struct lyd_node **config);
 
 /**
  * @brief Deletes a truststore's public key from the YANG data.
  *
- * @param[in] bag_name Identifier of an existing public key bag.
+ * @param[in] pub_bag_name Identifier of an existing public key bag.
  * @param[in] pubkey_name Optional identifier of a public key to be deleted.
  * If NULL, all of the public keys in the given bag will be deleted.
  * @param[in,out] config Configuration YANG data tree.
  * @return 0 on success, non-zero otherwise.
  */
-int nc_server_config_new_del_truststore_pubkey(const char *bag_name, const char *pubkey_name, struct lyd_node **config);
+int nc_server_config_new_del_truststore_pubkey(const char *pub_bag_name, const char *pubkey_name, struct lyd_node **config);
+
+/**
+ * @brief Creates new YANG data nodes for a certificate in the truststore.
+ *
+ * @param[in] ctx libyang context.
+ * @param[in] cert_bag_name Arbitrary identifier of the certificate bag.
+ * This name is used to reference the certificates in the bag.
+ * If a certificate bag with this name already exists, its contents will be changed.
+ * @param[in] cert_name Arbitrary identifier of the certificate.
+ * If a certificate with this name already exists in the given bag, its contents will be changed.
+ * @param[in] cert_path Path to a file containing a PEM encoded certificate.
+ * @param[in,out] config Configuration YANG data tree. If *config is NULL, it will be created.
+ * Otherwise the new YANG data will be added to the previous data and may override it.
+ * @return 0 on success, non-zero otherwise.
+ */
+int nc_server_config_new_truststore_cert(const struct ly_ctx *ctx, const char *cert_bag_name, const char *cert_name,
+        const char *cert_path, struct lyd_node **config);
+
+/**
+ * @brief Deletes a truststore's certificate from the YANG data.
+ *
+ * @param[in] cert_bag_name Identifier of an existing certificate bag.
+ * @param[in] cert_name Optional identifier of a certificate to be deleted.
+ * If NULL, all of the certificates in the given bag will be deleted.
+ * @param[in,out] config Configuration YANG data tree.
+ * @return 0 on success, non-zero otherwise.
+ */
+int nc_server_config_new_del_truststore_cert(const char *cert_bag_name,
+        const char *cert_name, struct lyd_node **config);
 
 /**
  * @}
@@ -615,6 +678,30 @@ int nc_server_config_new_tls_server_certificate(const struct ly_ctx *ctx, const
  */
 int nc_server_config_new_tls_del_server_certificate(const char *endpt_name, struct lyd_node **config);
 
+/**
+ * @brief Creates new YANG configuration data nodes for a keystore reference to the TLS server's certificate.
+ *
+ * @param[in] ctx libyang context.
+ * @param[in] endpt_name Arbitrary identifier of the endpoint.
+ * If an endpoint with this identifier already exists, its contents will be changed.
+ * @param[in] asym_key_ref Name of the asymmetric key pair in the keystore to be referenced.
+ * @param[in] cert_ref Name of the certificate, which must belong to the given asymmetric key pair, to be referenced.
+ * @param[in,out] config Configuration YANG data tree. If *config is NULL, it will be created.
+ * Otherwise the new YANG data will be added to the previous data and may override it.
+ * @return 0 on success, non-zero otherwise.
+ */
+int nc_server_config_new_tls_keystore_reference(const struct ly_ctx *ctx, const char *endpt_name, const char *asym_key_ref,
+        const char *cert_ref, struct lyd_node **config);
+
+/**
+ * @brief Deletes a TLS server certificate keystore reference from the YANG data.
+ *
+ * @param[in] endpt_name Identifier of an existing endpoint.
+ * @param[in,out] config Modified configuration YANG data tree.
+ * @return 0 on success, non-zero otherwise.
+ */
+int nc_server_config_new_tls_del_keystore_reference(const char *endpt_name, struct lyd_node **config);
+
 /**
  * @brief Creates new YANG configuration data nodes for a client's (end-entity) certificate.
  *
@@ -642,6 +729,29 @@ int nc_server_config_new_tls_client_certificate(const struct ly_ctx *ctx, const
  */
 int nc_server_config_new_tls_del_client_certificate(const char *endpt_name, const char *cert_name, struct lyd_node **config);
 
+/**
+ * @brief Creates new YANG configuration data nodes for a truststore reference to a set of client (end-entity) certificates.
+ *
+ * @param[in] ctx libyang context.
+ * @param[in] endpt_name Arbitrary identifier of the endpoint.
+ * If an endpoint with this identifier already exists, its contents will be changed.
+ * @param[in] cert_bag_ref Identifier of the certificate bag in the truststore to be referenced.
+ * @param[in,out] config Configuration YANG data tree. If *config is NULL, it will be created.
+ * Otherwise the new YANG data will be added to the previous data and may override it.
+ * @return 0 on success, non-zero otherwise.
+ */
+int nc_server_config_new_tls_client_cert_truststore_ref(const struct ly_ctx *ctx, const char *endpt_name,
+        const char *cert_bag_ref, struct lyd_node **config);
+
+/**
+ * @brief Deletes a client (end-entity) certificates truststore reference from the YANG data.
+ *
+ * @param[in] endpt_name Identifier of an existing endpoint.
+ * @param[in,out] config Modified configuration YANG data tree.
+ * @return 0 on success, non-zero otherwise.
+ */
+int nc_server_config_new_tls_del_client_cert_truststore_ref(const char *endpt_name, struct lyd_node **config);
+
 /**
  * @brief Creates new YANG configuration data nodes for a client certificate authority (trust-anchor) certificate.
  *
@@ -669,6 +779,29 @@ int nc_server_config_new_tls_client_ca(const struct ly_ctx *ctx, const char *end
  */
 int nc_server_config_new_tls_del_client_ca(const char *endpt_name, const char *cert_name, struct lyd_node **config);
 
+/**
+ * @brief Creates new YANG configuration data nodes for a truststore reference to a set of client certificate authority (trust-anchor) certificates.
+ *
+ * @param[in] ctx libyang context.
+ * @param[in] endpt_name Arbitrary identifier of the endpoint.
+ * If an endpoint with this identifier already exists, its contents will be changed.
+ * @param[in] cert_bag_ref Identifier of the certificate bag in the truststore to be referenced.
+ * @param[in,out] config Configuration YANG data tree. If *config is NULL, it will be created.
+ * Otherwise the new YANG data will be added to the previous data and may override it.
+ * @return 0 on success, non-zero otherwise.
+ */
+int nc_server_config_new_tls_client_ca_truststore_ref(const struct ly_ctx *ctx, const char *endpt_name,
+        const char *cert_bag_ref, struct lyd_node **config);
+
+/**
+ * @brief Deletes a client certificate authority (trust-anchor) certificates truststore reference from the YANG data.
+ *
+ * @param[in] endpt_name Identifier of an existing endpoint.
+ * @param[in,out] config Modified configuration YANG data tree.
+ * @return 0 on success, non-zero otherwise.
+ */
+int nc_server_config_new_tls_del_client_ca_truststore_ref(const char *endpt_name, struct lyd_node **config);
+
 /**
  * @brief Creates new YANG configuration data nodes for a cert-to-name entry.
  *
diff --git a/src/session_server_tls.c b/src/session_server_tls.c
index f6bb796b..3c389823 100644
--- a/src/session_server_tls.c
+++ b/src/session_server_tls.c
@@ -610,6 +610,8 @@ nc_server_tls_do_preverify(struct nc_session *session, X509_STORE_CTX *x509_ctx,
     struct nc_cert_grouping *ee_certs;
     int i, ret;
     X509 *cert;
+    struct nc_certificate *certs;
+    uint16_t cert_count;
 
     store = X509_STORE_CTX_get0_store(x509_ctx);
     if (!store) {
@@ -624,8 +626,18 @@ nc_server_tls_do_preverify(struct nc_session *session, X509_STORE_CTX *x509_ctx,
         return -1;
     }
 
-    for (i = 0; i < ee_certs->cert_count; i++) {
-        cert = base64der_to_cert(ee_certs->certs[i].data);
+    if (ee_certs->store == NC_STORE_LOCAL) {
+        /* local definition */
+        certs = ee_certs->certs;
+        cert_count = ee_certs->cert_count;
+    } else {
+        /* truststore reference */
+        certs = ee_certs->ts_ref->certs;
+        cert_count = ee_certs->ts_ref->cert_count;
+    }
+
+    for (i = 0; i < cert_count; i++) {
+        cert = base64der_to_cert(certs[i].data);
         ret = cert_pubkey_match(session->opts.server.client_cert, cert);
         X509_free(cert);
         if (ret) {
@@ -981,23 +993,25 @@ tls_store_add_trusted_cert(X509_STORE *cert_store, const char *cert_data)
 }
 
 static int
-nc_tls_store_set_trusted_certs(X509_STORE *cert_store, struct nc_cert_grouping *certs)
+nc_tls_store_set_trusted_certs(X509_STORE *cert_store, struct nc_cert_grouping *ca_certs)
 {
     uint16_t i;
+    struct nc_certificate *certs;
+    uint16_t cert_count;
 
-    if (certs->store == NC_STORE_LOCAL) {
+    if (ca_certs->store == NC_STORE_LOCAL) {
         /* local definition */
-        for (i = 0; i < certs->cert_count; i++) {
-            if (tls_store_add_trusted_cert(cert_store, certs->certs[i].data)) {
-                return -1;
-            }
-        }
+        certs = ca_certs->certs;
+        cert_count = ca_certs->cert_count;
     } else {
         /* truststore */
-        for (i = 0; i < certs->ts_ref->cert_count; i++) {
-            if (tls_store_add_trusted_cert(cert_store, certs->ts_ref->certs[i].data)) {
-                return -1;
-            }
+        certs = ca_certs->ts_ref->certs;
+        cert_count = ca_certs->ts_ref->cert_count;
+    }
+
+    for (i = 0; i < cert_count; i++) {
+        if (tls_store_add_trusted_cert(cert_store, certs[i].data)) {
+            return -1;
         }
     }
 
diff --git a/tests/test_ks_ts.c b/tests/test_ks_ts.c
index fb179e06..2d125fad 100644
--- a/tests/test_ks_ts.c
+++ b/tests/test_ks_ts.c
@@ -36,75 +36,6 @@ struct test_state {
     pthread_barrier_t barrier;
 };
 
-const char *data =
-        "<netconf-server xmlns=\"urn:ietf:params:xml:ns:yang:ietf-netconf-server\" xmlns:yang=\"urn:ietf:params:xml:ns:yang:1\" yang:operation=\"none\">\n"
-        "    <listen yang:operation=\"create\">\n"
-        "        <idle-timeout>10</idle-timeout>\n"
-        "        <endpoint>\n"
-        "            <name>default-ssh</name>\n"
-        "            <ssh>\n"
-        "                <tcp-server-parameters>\n"
-        "                    <local-address>127.0.0.1</local-address>\n"
-        "                    <local-port>10005</local-port>\n"
-        "                </tcp-server-parameters>\n"
-        "                <ssh-server-parameters>\n"
-        "                    <server-identity>\n"
-        "                        <host-key>\n"
-        "                            <name>key</name>\n"
-        "                            <public-key>\n"
-        "                                <keystore-reference>test_keystore</keystore-reference>\n"
-        "                            </public-key>\n"
-        "                        </host-key>\n"
-        "                    </server-identity>\n"
-        "                    <client-authentication>\n"
-        "                        <users>\n"
-        "                            <user>\n"
-        "                                <name>test_ts</name>\n"
-        "                                <public-keys>\n"
-        "                                    <inline-definition>\n"
-        "                                        <public-key>\n"
-        "                                            <name>test</name>\n"
-        "                                            <public-key-format xmlns:ct=\"urn:ietf:params:xml:ns:yang:ietf-crypto-types\">ct:ssh-public-key-format</public-key-format>\n"
-        "                                            <public-key>AAAAB3NzaC1yc2EAAAADAQABAAABAQDPavVALiM7QwTIUAndO8E9GOkSDQWjuEwkzbJ3kOBPa7kkq71UOZFeecDjFb9eipkljfFys/JYHGQaYVF8/svT0KV5h7HlutRdF6yvqSEbjpbTORb27pdHX3iFEyDCwCIoq9vMeX+wyXnteyn01GpIL0ig0WAnvkqX/SPjuplX5ZItUSr0MhXM7fNSX50BD6G8IO0/djUcdMUcjTjGv73SxB9ZzLvxnhXuUJbzEJJJLj6qajyEIVaJSa73vA33JCD8qzarrsuITojVLPDFmeHwSAoB5dP86yop6e6ypuXzKxxef6yNXcE8oTj8UFYBIXsgIP2nBvWk41EaK0Vk3YFl</public-key>\n"
-        "                                        </public-key>\n"
-        "                                    </inline-definition>\n"
-        "                                </public-keys>\n"
-        "                            </user>\n"
-        "                        </users>\n"
-        "                    </client-authentication>\n"
-        "                    <transport-params>\n"
-        "                        <host-key>\n"
-        "                            <host-key-alg xmlns:sshpka=\"urn:ietf:params:xml:ns:yang:iana-ssh-public-key-algs\">sshpka:rsa-sha2-512</host-key-alg>\n"
-        "                        </host-key>\n"
-        "                        <key-exchange>\n"
-        "                            <key-exchange-alg xmlns:sshkea=\"urn:ietf:params:xml:ns:yang:iana-ssh-key-exchange-algs\">sshkea:curve25519-sha256</key-exchange-alg>\n"
-        "                        </key-exchange>\n"
-        "                        <encryption>\n"
-        "                            <encryption-alg xmlns:sshea=\"urn:ietf:params:xml:ns:yang:iana-ssh-encryption-algs\">sshea:aes256-ctr</encryption-alg>\n"
-        "                        </encryption>\n"
-        "                        <mac>\n"
-        "                            <mac-alg xmlns:sshma=\"urn:ietf:params:xml:ns:yang:iana-ssh-mac-algs\">sshma:hmac-sha2-512</mac-alg>\n"
-        "                        </mac>\n"
-        "                    </transport-params>\n"
-        "                </ssh-server-parameters>\n"
-        "            </ssh>\n"
-        "        </endpoint>\n"
-        "    </listen>\n"
-        "</netconf-server>\n"
-        "\n"
-        "<keystore xmlns=\"urn:ietf:params:xml:ns:yang:ietf-keystore\" xmlns:yang=\"urn:ietf:params:xml:ns:yang:1\" yang:operation=\"create\">\n"
-        "    <asymmetric-keys>\n"
-        "        <asymmetric-key>\n"
-        "            <name>test_keystore</name>\n"
-        "            <public-key-format xmlns:ct=\"urn:ietf:params:xml:ns:yang:ietf-crypto-types\">ct:ssh-public-key-format</public-key-format>\n"
-        "            <public-key>MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA6ojtjfDmvyQP1ZkIwBpr97eKDuebvpoglRHRdvVuTpf/gU1VArAQmwGh05i6lm8TkVl1noMlIxLJDcWslaeVn6KyvsX0HhsQtXwqPqwka5UCv6alwf/ivAvcNpcX1j0t/uIGCI4dSiKnzQCyf0FTirzQkjrDZUd3meDhNQTruCalGV4gfNWIq3e1oGuwAn1tLlu9oTrE4HzMpgbNEU6wNmsSqpwGxUhYLoSaM7b0dLmqP+ZczSS0Uac0PFNkehGQ2CYIT80f580o4XGtoLCUUGkp6YCTL4Z2CeBEaJABWjDIDH+dKYIUBqUpz4Th12gXAP+h+3qI6+9eppeHrfrzARDsfLjwUNxQJse1QSArjAytf0FKtGHrORc7W0TiCFvR0zaoUNLTKk7enTiRQ9rfWZOAu44fUvPCaXDE6zXXeaVgoKCo4VHlho36erUcjlEBM+jk28IykbZGtBb6igKvYa1tPSgeYm/zJoFVjQcnr14uci/ft1+Na+hOIEoEEiKxcAPk2b2vBKNlRIW7WLJ3u7ZiuQEJTNm6+3cE4+lfwaBCBqBToE+dpzvoUXoMyFFReUFd1O5axu4fXgt00jMaOQxmE0v9OmR/pL/PWIflVF4Zz5yVONYaDVc7l+veY0oEZruEPJ0hlEgxuCzLrcMhjufl2qE2Q7fQIaav/1NqBVkCAwEAAQ==</public-key>\n"
-        "            <private-key-format xmlns:ct=\"urn:ietf:params:xml:ns:yang:ietf-crypto-types\">ct:rsa-private-key-format</private-key-format>\n"
-        "            <cleartext-private-key>MIIJKAIBAAKCAgEA6ojtjfDmvyQP1ZkIwBpr97eKDuebvpoglRHRdvVuTpf/gU1VArAQmwGh05i6lm8TkVl1noMlIxLJDcWslaeVn6KyvsX0HhsQtXwqPqwka5UCv6alwf/ivAvcNpcX1j0t/uIGCI4dSiKnzQCyf0FTirzQkjrDZUd3meDhNQTruCalGV4gfNWIq3e1oGuwAn1tLlu9oTrE4HzMpgbNEU6wNmsSqpwGxUhYLoSaM7b0dLmqP+ZczSS0Uac0PFNkehGQ2CYIT80f580o4XGtoLCUUGkp6YCTL4Z2CeBEaJABWjDIDH+dKYIUBqUpz4Th12gXAP+h+3qI6+9eppeHrfrzARDsfLjwUNxQJse1QSArjAytf0FKtGHrORc7W0TiCFvR0zaoUNLTKk7enTiRQ9rfWZOAu44fUvPCaXDE6zXXeaVgoKCo4VHlho36erUcjlEBM+jk28IykbZGtBb6igKvYa1tPSgeYm/zJoFVjQcnr14uci/ft1+Na+hOIEoEEiKxcAPk2b2vBKNlRIW7WLJ3u7ZiuQEJTNm6+3cE4+lfwaBCBqBToE+dpzvoUXoMyFFReUFd1O5axu4fXgt00jMaOQxmE0v9OmR/pL/PWIflVF4Zz5yVONYaDVc7l+veY0oEZruEPJ0hlEgxuCzLrcMhjufl2qE2Q7fQIaav/1NqBVkCAwEAAQKCAgAeRZw75Oszoqj0jfMmMILdD3Cfad+dY3FvLESYESeyt0XAX8XoOed6ymQj1qPGxQGGkkBvPEgv1b3jrC8Rhfb3Ct39Z7mRpTar5iHhwwBUboBTUmQ0vR173iAHX8sw2Oa17mCO/CDlr8Fu4Xcom7r3vlVBepo72VSjpPYMjN0MANjwhEi3NCyWzTXBRgUK3TuZbzfzto0w2Irlpx0S7dAqxfk70jXBgwv2vSDWKfg1lL1X0BkMVX98xpMkcjMW2muSqp4KBtTma4GqT6z0f7Y1Bs3lGLZmvPlBXxQVVvkFtiQsENCtSd/h17Gk2mb4EbReaaBzwCYqJdRWtlpJ54kzy8U00co+Yn//ZS7sbbIDkqHPnXkpdIr+0rEDMlOw2Y3vRZCxqZFqfWCW0uzhwKqk2VoYqtDL+ORKG/aG/KTBQ4Y71Uh+7aabPwj5R+NaVMjbqmrVeH70eKjoNVgcNYY1C9rGVF1d+LQEm7UsqS0DPp4wN9QKLAqIfuarAhQBhZy1R7Sj1r5macD9DsGxsurM4mHZV0LNmYLZiFHjTUb6iRSPD5RBFW80vcNtxZ0cxmkLtxrj/DVyExV11Cl0SbZLLa9mScYvxdl/qZutXt3PQyab0NiYxGzCD2RnLkCyxkh1vuHHjhvIWYfbd2VgZB/qGr+o9T07FGfMCu23//fugQKCAQEA9UH38glH/rAjZ431sv6ryUEFY8I2FyLTijtvoj9CNGcQn8vJQAHvUPfMdyqDoum6wgcTmG+UXA6mZzpGQCiY8JW5CoItgXRoYgNzpvVVe2aLf51QGtNLLEFpNDMpCtI+I+COpAmGvWAukku0pZfRjm9eb1ydvTpHlFC9+VhVUsLzw3VtSC5PVW6r65mZcYcB6SFVPap+31ENP/9jOMFoymh57lSMZJMxTEA5b0l2miFb9Rp906Zqiud5zv2jIqF6gL70giW3ovVxR7LGKKTKIa9pxawHwB6Ithygs7YoJkjF2dm8pZTMZKsQN92K70XGj07SmYRLZpkVD7i+cqbbKQKCAQEA9M6580Rcw6W0twfcy0/iB4U5ZS52EcCjW8vHlL+MpUo7YvXadSgV1ZaM28zW/ZGk3wE0zy1YT5s30SQkm0NiWN3t/J0l19ccAOxlPWfjhF7vIQZr7XMo5HeaK0Ak5+68J6bx6KgcXmlJOup7INaE8DyGXB6vd4K6957IXyqs3/bfJAUmz49hnveCfLFdTVVT/Uq4IoPKfQSbSZc0BvPBsnBCF164l4jllGBaWS302dhgW4cgxzG0SZGgNwow4AhB+ygiiS8yvOa7UcHfUObVrzWeeq9mYSQ1PkvUTjkWR2/Y8xy7WP0TRBdJOVSs90H51lerEDGNQWvQvI97S9ZOsQKCAQB59u9lpuXtqwxAQCFyfSFSuQoEHR2nDcOjF4GhbtHum15yCPaw5QVs/33nuPWze4ZLXReKk9p0mTh5V0p+N3IvGlXl+uzEVu5d55eI7LIw5sLymHmwjWjxvimiMtrzLbCHSPHGc5JU9NLUH9/bBY/JxGpy+NzcsHHOOQTwTdRIjviIOAo7fgQn2RyX0k+zXE8/7zqjqvji9zyemdNu8we4uJICSntyvJwkbj/hrufTKEnBrwXpzfVn1EsH+6w32ZPBGLUhT75txJ8r56SRq7l1XPU9vxovmT+lSMFF/Y0j1MbHWnds5H1shoFPNtYTvWBL/gfPHjIc+H23zsiu3XlZAoIBAC2xB/Pnpoi9vOUMiqFH36AXtYa1DURy+AqCFlYlClMvb7YgvQ1w1eJvnwrHSLk7HdKhnwGsLPduuRRH8q0n/osnoOutSQroE0n41UyIv2ZNccRwNmSzQcairBu2dSz02hlsh2otNl5IuGpOqXyPjXBpW4qGD6n2tH7THALnLC0BHtTSQVQsJsRM3gX39LoiWvLDp2qJvplm6rTpi8Rgap6rZSqHe1yNKIxxD2vlr/WY9SMgLXYASO4SSBz9wfGOmQIPk6KXNJkdV4kC7nNjIi75iwLLCgjHgUiHTrDq5sWekpeNnUoWsinbTsdsjnv3zHG9GyiClyLGxMbs4M5eyYECggEBAKuC8ZMpdIrjk6tERYB6g0LnQ7mW8XYbDFAmLYMLs9yfG2jcjVbsW9Kugsr+3poUUv/q+hNO3jfY4HazhZDa0MalgNPoSwr/VNRnkck40x2ovFb989J7yl++zTrnIrax9XRH1V0cNu+Kj7OMwZ2RRfbNv5JBdOZPvkfqyIKFmbQgYbtD66rHuzNOfJpzqr/WVLO57/zzW8245NKG2B6B0oXkei/KqDY0DAbHR3i3EOj1NPtVI1FC/xX8R9BREaid458bqoHJKuInrGcBjaUI9Cvymv8TbstUgD6NPbJR4Sm6vrLeUqzjWZP3t1+Z6DjXmnpR2vvhMU/FWb//21p/88o=</cleartext-private-key>\n"
-        "           <certificates></certificates>\n"
-        "        </asymmetric-key>\n"
-        "    </asymmetric-keys>\n"
-        "</keystore>\n";
-
 static void *
 server_thread(void *arg)
 {
@@ -136,7 +67,7 @@ server_thread(void *arg)
 }
 
 static void *
-client_thread(void *arg)
+client_thread_ssh(void *arg)
 {
     int ret;
     struct nc_session *session = NULL;
@@ -163,14 +94,14 @@ client_thread(void *arg)
 }
 
 static void
-test_nc_ks_ts(void **state)
+test_nc_ks_ts_ssh(void **state)
 {
     int ret, i;
     pthread_t tids[2];
 
     assert_non_null(state);
 
-    ret = pthread_create(&tids[0], NULL, client_thread, *state);
+    ret = pthread_create(&tids[0], NULL, client_thread_ssh, *state);
     assert_int_equal(ret, 0);
     ret = pthread_create(&tids[1], NULL, server_thread, *state);
     assert_int_equal(ret, 0);
@@ -181,7 +112,7 @@ test_nc_ks_ts(void **state)
 }
 
 static int
-setup_f(void **state)
+setup_ssh(void **state)
 {
     int ret;
     struct lyd_node *tree = NULL;
@@ -234,6 +165,130 @@ setup_f(void **state)
     return 0;
 }
 
+static void *
+client_thread_tls(void *arg)
+{
+    int ret;
+    struct nc_session *session = NULL;
+    struct test_state *state = arg;
+
+    ret = nc_client_set_schema_searchpath(MODULES_DIR);
+    assert_int_equal(ret, 0);
+
+    /* set client cert */
+    ret = nc_client_tls_set_cert_key_paths(TESTS_DIR "/data/client.crt", TESTS_DIR "/data/client.key");
+    assert_int_equal(ret, 0);
+
+    /* set client ca */
+    ret = nc_client_tls_set_trusted_ca_paths(NULL, TESTS_DIR "/data");
+    assert_int_equal(ret, 0);
+
+    pthread_barrier_wait(&state->barrier);
+    session = nc_connect_tls("127.0.0.1", 10005, NULL);
+    assert_non_null(session);
+
+    nc_session_free(session, NULL);
+    return NULL;
+}
+
+static void
+test_nc_ks_ts_tls(void **state)
+{
+    int ret, i;
+    pthread_t tids[2];
+
+    assert_non_null(state);
+
+    ret = pthread_create(&tids[0], NULL, client_thread_tls, *state);
+    assert_int_equal(ret, 0);
+    ret = pthread_create(&tids[1], NULL, server_thread, *state);
+    assert_int_equal(ret, 0);
+
+    for (i = 0; i < 2; i++) {
+        pthread_join(tids[i], NULL);
+    }
+}
+
+static int
+setup_tls(void **state)
+{
+    int ret;
+    struct lyd_node *tree = NULL;
+    struct test_state *test_state;
+
+    nc_verbosity(NC_VERB_VERBOSE);
+
+    /* init barrier */
+    test_state = malloc(sizeof *test_state);
+    assert_non_null(test_state);
+
+    ret = pthread_barrier_init(&test_state->barrier, NULL, 2);
+    assert_int_equal(ret, 0);
+
+    *state = test_state;
+
+    /* new ctx */
+    ret = ly_ctx_new(MODULES_DIR, 0, &ctx);
+    assert_int_equal(ret, 0);
+
+    /* init ctx */
+    ret = nc_server_init_ctx(&ctx);
+    assert_int_equal(ret, 0);
+
+    /* load ietf netconf server module and its requisities */
+    ret = nc_server_config_load_modules(&ctx);
+    assert_int_equal(ret, 0);
+
+    /* new tls bind */
+    ret = nc_server_config_new_address_port(ctx, "endpt", NC_TI_OPENSSL, "127.0.0.1", 10005, &tree);
+    assert_int_equal(ret, 0);
+
+    /* new keystore asym key pair */
+    ret = nc_server_config_new_keystore_asym_key(ctx, "server_key", TESTS_DIR "/data/server.key", NULL, &tree);
+    assert_int_equal(ret, 0);
+
+    /* new keystore cert belonging to the key pair */
+    ret = nc_server_config_new_keystore_cert(ctx, "server_key", "server_cert", TESTS_DIR "/data/server.crt", &tree);
+    assert_int_equal(ret, 0);
+
+    /* new truststore client cert */
+    ret = nc_server_config_new_truststore_cert(ctx, "ee_cert_bag", "ee_cert", TESTS_DIR "/data/client.crt", &tree);
+    assert_int_equal(ret, 0);
+
+    /* new truststore client CA cert */
+    ret = nc_server_config_new_truststore_cert(ctx, "ca_cert_bag", "ca_cert", TESTS_DIR "/data/serverca.pem", &tree);
+    assert_int_equal(ret, 0);
+
+    /* new keystore ref for the TLS server cert */
+    ret = nc_server_config_new_tls_keystore_reference(ctx, "endpt", "server_key", "server_cert", &tree);
+    assert_int_equal(ret, 0);
+
+    /* new truststore ref for the client cert */
+    ret = nc_server_config_new_tls_client_cert_truststore_ref(ctx, "endpt", "ee_cert_bag", &tree);
+    assert_int_equal(ret, 0);
+
+    /* new truststore ref for the client CA cert */
+    ret = nc_server_config_new_tls_client_ca_truststore_ref(ctx, "endpt", "ca_cert_bag", &tree);
+    assert_int_equal(ret, 0);
+
+    /* new cert-to-name */
+    ret = nc_server_config_new_tls_ctn(ctx, "endpt", 1,
+            "04:85:6B:75:D1:1A:86:E0:D8:FE:5B:BD:72:F5:73:1D:07:EA:32:BF:09:11:21:6A:6E:23:78:8E:B6:D5:73:C3:2D",
+            NC_TLS_CTN_SPECIFIED, "client", &tree);
+    assert_int_equal(ret, 0);
+
+    /* configure the server based on the data */
+    ret = nc_server_config_setup_data(tree);
+    assert_int_equal(ret, 0);
+
+    ret = nc_server_init();
+    assert_int_equal(ret, 0);
+
+    lyd_free_all(tree);
+
+    return 0;
+}
+
 static int
 teardown_f(void **state)
 {
@@ -258,7 +313,8 @@ int
 main(void)
 {
     const struct CMUnitTest tests[] = {
-        cmocka_unit_test_setup_teardown(test_nc_ks_ts, setup_f, teardown_f),
+        cmocka_unit_test_setup_teardown(test_nc_ks_ts_ssh, setup_ssh, teardown_f),
+        cmocka_unit_test_setup_teardown(test_nc_ks_ts_tls, setup_tls, teardown_f),
     };
 
     setenv("CMOCKA_TEST_ABORT", "1", 1);