diff --git a/CERTIFICATES.md b/CERTIFICATES.md
index 69d6c18..0e0a867 100644
--- a/CERTIFICATES.md
+++ b/CERTIFICATES.md
@@ -61,7 +61,7 @@ Import a certificate by CommonName
 Running the function `$CertificateAvailable` with that name as parameter
 makes sure the certificate is available in the device's store:
 
-    $CertificateAvailable "ISRG Root X2";
+    $CertificateAvailable "ISRG Root X2" "fetch";
 
 If the certificate is actually available already nothing happens, and there
 is no output. Otherwise the certificate is downloaded and imported.
diff --git a/INITIAL-COMMANDS.md b/INITIAL-COMMANDS.md
index 40f609b..6e70b66 100644
--- a/INITIAL-COMMANDS.md
+++ b/INITIAL-COMMANDS.md
@@ -22,8 +22,11 @@ Run the complete base installation:
       :local CertFileName "ISRG-Root-X2.pem";
       :local CertFingerprint "69729b8e15a86efc177a57afb7171dfc64add28c2fca8cf1507e34453ccb1470";
 
-      :if (!(([ /certificate/settings/get ]->"builtin-trust-anchors") = "trusted" && \
-           [[ :parse (":return [ :len [ /certificate/builtin/find where common-name=\"" . $CertCommonName . "\" ] ]") ]] > 0)) do={
+      :local CertSettings [ /certificate/settings/get ];
+      :if (!((($CertSettings->"builtin-trust-anchors") = "trusted" || \
+              ($CertSettings->"builtin-trust-store") ~ "fetch" || \
+              ($CertSettings->"builtin-trust-store") = "all") && \
+             [[ :parse (":return [ :len [ /certificate/builtin/find where common-name=\"" . $CertCommonName . "\" ] ]") ]] > 0)) do={
         :put "Importing certificate...";
         /tool/fetch ($BaseUrl . "certs/" . $CertFileName) dst-path=$CertFileName as-value;
         :delay 1s;
diff --git a/README.md b/README.md
index 529bb4c..b77538d 100644
--- a/README.md
+++ b/README.md
@@ -78,7 +78,10 @@ download the certificates.
 > can skip the steps regarding certificate download and import and jump
 > to [installation of scripts](#installation-of-scripts) if you set the
 > trust for these builtin trust anchors:  
-> `/certificate/settings/set builtin-trust-anchors=trusted;`
+> `/certificate/settings/set builtin-trust-anchors=trusted;`  
+> With RouterOS 7.21 the functionality was changed. Set this at minimum,
+> but make sure not to drop other targets:  
+> `/certificate/settings/set builtin-trust-store=fetch;`
 
 If you intend to download the scripts from a
 different location (for example from github.com) install the corresponding
diff --git a/check-certificates.rsc b/check-certificates.rsc
index f2d5c1f..3300bee 100644
--- a/check-certificates.rsc
+++ b/check-certificates.rsc
@@ -189,7 +189,7 @@
           fingerprint!=[ :tostr ($CertVal->"fingerprint") ] expires-after>$CertRenewTime ];
         :local CertNewVal [ /certificate/get $CertNew ];
 
-        :if ([ $CertificateAvailable ([ $ParseKeyValueStore ($CertNewVal->"issuer") ]->"CN") ] = false) do={
+        :if ([ $CertificateAvailable ([ $ParseKeyValueStore ($CertNewVal->"issuer") ]->"CN") "fetch" ] = false) do={
           $LogPrint warning $ScriptName ("The certificate chain is not available!");
         }
 
diff --git a/doc/mod/notification-matrix.md b/doc/mod/notification-matrix.md
index da6d6de..ad4cf4f 100644
--- a/doc/mod/notification-matrix.md
+++ b/doc/mod/notification-matrix.md
@@ -49,7 +49,7 @@ your server in device's certificate store.
 The example below is for `matrix.org`, which uses a trust chain from *Google
 Trust Services*. Run this to import the required certificate:
 
-    $CertificateAvailable "GTS Root R4";
+    $CertificateAvailable "GTS Root R4" "fetch";
 
 Replace the CA certificate name with what ever is needed for your server.
 You may want to find the
diff --git a/fw-addr-lists.rsc b/fw-addr-lists.rsc
index c85cc8b..e5a71aa 100644
--- a/fw-addr-lists.rsc
+++ b/fw-addr-lists.rsc
@@ -74,7 +74,7 @@
 
       :if ([ :len ($List->"cert") ] > 0) do={
         :set CheckCertificate true;
-        :if ([ $CertificateAvailable ($List->"cert") ] = false) do={
+        :if ([ $CertificateAvailable ($List->"cert") "fetch" ] = false) do={
           $LogPrint warning $ScriptName ("Downloading required certificate (" . $FwListName . \
               " / " . $List->"url" . ") failed, trying anyway.");
         }
diff --git a/global-functions.rsc b/global-functions.rsc
index eb837aa..48aaf7f 100644
--- a/global-functions.rsc
+++ b/global-functions.rsc
@@ -106,11 +106,15 @@
 # check and download required certificate
 :set CertificateAvailable do={
   :local CommonName [ :tostr $1 ];
+  :local UseFor     [ :tostr $2 ];
 
   :global CertificateDownload;
+  :global EitherOr;
   :global LogPrint;
   :global ParseKeyValueStore;
 
+  :set UseFor [ $EitherOr $UseFor "undefined" ];
+
   :if ([ /system/resource/get free-hdd-space ] < 8388608 && \
        [ /certificate/settings/get crl-download ] = true && \
        [ /certificate/settings/get crl-store ] = "system") do={
@@ -123,7 +127,10 @@
     :return false;
   }
 
-  :if (([ /certificate/settings/get ]->"builtin-trust-anchors") = "trusted" && \
+  :local CertSettings [ /certificate/settings/get ];
+  :if ((($CertSettings->"builtin-trust-anchors") = "trusted" || \
+        ($CertSettings->"builtin-trust-store") ~ $UseFor || \
+        ($CertSettings->"builtin-trust-store") = "all") && \
        [[ :parse (":return [ :len [ /certificate/builtin/find where common-name=\"" . $CommonName . "\" ] ]") ]] > 0) do={
     :return true;
   }
@@ -397,7 +404,7 @@
     :return true;
   }
 
-  :if ([ $CertificateAvailable "ISRG Root X1" ] = false) do={
+  :if ([ $CertificateAvailable "ISRG Root X1" "fetch" ] = false) do={
     $LogPrint error $0 ("Downloading required certificate failed.");
     :return false;
   }
@@ -633,7 +640,7 @@
   }
 
   :do {
-    :if ([ $CertificateAvailable "GTS Root R4" ] = false) do={
+    :if ([ $CertificateAvailable "GTS Root R4" "fetch" ] = false) do={
       $LogPrint warning $0 ("Downloading required certificate failed.");
       :error false;
     }
@@ -1241,7 +1248,7 @@
   :global SymbolForNotification;
   :global ValidateSyntax;
 
-  :if ([ $CertificateAvailable "ISRG Root X2" ] = false) do={
+  :if ([ $CertificateAvailable "ISRG Root X2" "fetch" ] = false) do={
     $LogPrint warning $0 ("Downloading certificate failed, trying without.");
   }
 
@@ -1292,7 +1299,7 @@
       }
 
       :if ([ :len ($ScriptInfo->"certificate") ] > 0) do={
-        :if ([ $CertificateAvailable ($ScriptInfo->"certificate") ] = false) do={
+        :if ([ $CertificateAvailable ($ScriptInfo->"certificate") "fetch" ] = false) do={
           $LogPrint warning $0 ("Downloading certificate failed, trying without.");
         }
       }
diff --git a/mod/notification-ntfy.rsc b/mod/notification-ntfy.rsc
index 7114020..dd10812 100644
--- a/mod/notification-ntfy.rsc
+++ b/mod/notification-ntfy.rsc
@@ -109,7 +109,7 @@
 
   :onerror Err {
     :if ($Server = "ntfy.sh") do={
-      :if ([ $CertificateAvailable "ISRG Root X1" ] = false) do={
+      :if ([ $CertificateAvailable "ISRG Root X1" "fetch" ] = false) do={
         $LogPrint warning $0 ("Downloading required certificate failed.");
         :error false;
       }
diff --git a/mod/notification-telegram.rsc b/mod/notification-telegram.rsc
index ff9b4da..b1996a3 100644
--- a/mod/notification-telegram.rsc
+++ b/mod/notification-telegram.rsc
@@ -30,7 +30,7 @@
     :return false;
   }
 
-  :if ([ $CertificateAvailable "Go Daddy Root Certificate Authority - G2" ] = false) do={
+  :if ([ $CertificateAvailable "Go Daddy Root Certificate Authority - G2" "fetch" ] = false) do={
     $LogPrint warning $0 ("Downloading required certificate failed.");
     :return false;
   }
@@ -72,7 +72,7 @@
   :global CertificateAvailable;
   :global LogPrint;
 
-  :if ([ $CertificateAvailable "Go Daddy Root Certificate Authority - G2" ] = false) do={
+  :if ([ $CertificateAvailable "Go Daddy Root Certificate Authority - G2" "fetch" ] = false) do={
     $LogPrint warning $0 ("Downloading required certificate failed.");
     :return false;
   }
@@ -197,7 +197,7 @@
       "&reply_to_message_id=" . ($Notification->"replyto") . "&message_thread_id=" . $ThreadId . \
       "&disable_web_page_preview=true&parse_mode=MarkdownV2");
   :onerror Err {
-    :if ([ $CertificateAvailable "Go Daddy Root Certificate Authority - G2" ] = false) do={
+    :if ([ $CertificateAvailable "Go Daddy Root Certificate Authority - G2" "fetch" ] = false) do={
       $LogPrint warning $0 ("Downloading required certificate failed.");
       :error false;
     }
diff --git a/netwatch-dns.rsc b/netwatch-dns.rsc
index 9e2f9bc..eee5f85 100644
--- a/netwatch-dns.rsc
+++ b/netwatch-dns.rsc
@@ -112,7 +112,7 @@
 
   :foreach DohServer in=$DohServers do={
     :if ([ :len ($DohServer->"doh-cert") ] > 0) do={
-      :if ([ $CertificateAvailable ($DohServer->"doh-cert") ] = false) do={
+      :if ([ $CertificateAvailable ($DohServer->"doh-cert") "dns" ] = false) do={
         $LogPrint warning $ScriptName ("Downloading certificate failed, trying without.");
       }
     }
diff --git a/telegram-chat.rsc b/telegram-chat.rsc
index 7f7b7a7..54872fb 100644
--- a/telegram-chat.rsc
+++ b/telegram-chat.rsc
@@ -61,7 +61,7 @@
     :set TelegramRandomDelay 0;
   }
 
-  :if ([ $CertificateAvailable "Go Daddy Root Certificate Authority - G2" ] = false) do={
+  :if ([ $CertificateAvailable "Go Daddy Root Certificate Authority - G2" "fetch" ] = false) do={
     $LogPrint warning $ScriptName ("Downloading required certificate failed.");
     :set ExitOK true;
     :error false;
diff --git a/update-tunnelbroker.rsc b/update-tunnelbroker.rsc
index 9057e1e..5372f4c 100644
--- a/update-tunnelbroker.rsc
+++ b/update-tunnelbroker.rsc
@@ -28,7 +28,7 @@
     :error false;
   }
 
-  :if ([ $CertificateAvailable "Starfield Root Certificate Authority - G2" ] = false) do={
+  :if ([ $CertificateAvailable "Starfield Root Certificate Authority - G2" "fetch" ] = false) do={
     $LogPrint error $ScriptName ("Downloading required certificate failed.");
     :set ExitOK true;
     :error false;