From 5481787869e7b3abb39ae564512da154aea90aad Mon Sep 17 00:00:00 2001
From: Christian Hesse <mail@eworm.de>
Date: Mon, 12 Jan 2026 08:37:12 +0100
Subject: [PATCH] check-certificates: handle builtin certificate in chain

This includes an ugly workaround to keep it compatible with old RouterOS
versions... For now.
---
 check-certificates.rsc | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/check-certificates.rsc b/check-certificates.rsc
index f3885fcf..5049a340 100644
--- a/check-certificates.rsc
+++ b/check-certificates.rsc
@@ -117,6 +117,12 @@
       :local Return "";
       :for I from=0 to=5 do={
         :set Return ($Return . [ $ParseKeyValueStore ($CertVal->"issuer") ]->"CN");
+        :local CertSettings [ /certificate/settings/get ];
+        :if (([ :len ($CertSettings->"builtin-trust-anchors") ] > 0 || \
+              [ :len ($CertSettings->"builtin-trust-store") ] > 0) && \
+             [[ :parse (":return [ :len [ /certificate/builtin/find where skid=\"" . ($CertVal->"akid") . "\" ] ]") ]] > 0) do={
+          :return $Return;
+        }
         :set CertVal [ /certificate/get [ find where skid=($CertVal->"akid") ] ];
         :if (($CertVal->"akid") = "" || ($CertVal->"akid") = ($CertVal->"skid")) do={
           :return $Return;