Is it possible to put only root CA’s certificate in the server truststore and to let users authenticate with certificates signed by this CA?

Currently, it throws an error when it tries to bind decoded user principal to the alias in truststore, which has only CA’s certificate.

I suppose this is possible, but is there any easy(detailed) tutorial on this since I’m not familiar with the whole architecture of the Elytron, and documentation is pretty modest?