How Issuer Root CA installed on client machine when client(dynamic) connects first time to server?

Question

I read about server authentication over web and got to know that issuer Root CA should be imported into Trusted Root CA on both server and client machines for mutual authentication.

Now let's say it is banking application.

The user connects to the bank server for the first time:

1. Server returns server certificate to validate itself to client.
2. Client gets the certificate and validate with trusted Root CA authority which has signed this server certificate earlier.
3. Client sends its certificate and server validate with trusted Root CA authority which has signed this client certificate earlier.
4. Now communication starts.

In Step 3 I understand that the trusted Root CA authority is installed on the server when the server gets deployed. However, in Step 2 when the client machine connects for the first time (and can dynamic connected from any machine), how does the Root CA authority got installed on the client machine?

Answer 1

Root CA certificates are usually preinstalled in operating system and software (when software use its own trust store). Administrators may use their tools to deploy additional roots (which are not common, for example, organization's private roots).