or the intermediate certificates. Most organizations create an intermediate certificate and sign server and client certificates with that intermediate. This allows administrators to keep the root locked down even further, they only need to handle it when creating new intermediates (and those intermediates can be quickly revoked).
It's:
not used for other usage such as server/client authentication, ….