From 3d3b270748b43362d0ec51a1e52f300e6770b469 Mon Sep 17 00:00:00 2001
From: Christian Hesse <mail@eworm.de>
Date: Wed, 28 May 2025 14:07:57 +0200
Subject: [PATCH 1/3] README: give a hint on builtin certificate store

I guess this should become the default any time in future...
---
 README.md | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 2a8b2cef..bc098408 100644
--- a/README.md
+++ b/README.md
@@ -72,7 +72,14 @@ including demonstation recorded live at [MUM Europe
 ### The long way in detail
 
 The update script does server certificate verification, so first step is to
-download the certificates. If you intend to download the scripts from a
+download the certificates.
+
+> 💡️ **Hint**: RouterOS 7.19 comes with a builtin certificate store. You
+> can skip the steps regarding certificate download and import if you set
+> the trust for these builtin trust anchors:
+> `/certificate/settings/set builtin-trust-anchors=trusted;`
+
+If you intend to download the scripts from a
 different location (for example from github.com) install the corresponding
 certificate chain.
 

From d59c4aee26788f3c5088c32a3bd54f0562b4d2b4 Mon Sep 17 00:00:00 2001
From: Christian Hesse <mail@eworm.de>
Date: Wed, 28 May 2025 14:16:57 +0200
Subject: [PATCH 2/3] README: add a paragraph and link to jump

---
 README.md | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index bc098408..243e1fc5 100644
--- a/README.md
+++ b/README.md
@@ -75,8 +75,9 @@ The update script does server certificate verification, so first step is to
 download the certificates.
 
 > 💡️ **Hint**: RouterOS 7.19 comes with a builtin certificate store. You
-> can skip the steps regarding certificate download and import if you set
-> the trust for these builtin trust anchors:
+> can skip the steps regarding certificate download and import and jump
+> to [installation of scripts](#installation-of-scripts) if you set the
+> trust for these builtin trust anchors:
 > `/certificate/settings/set builtin-trust-anchors=trusted;`
 
 If you intend to download the scripts from a
@@ -113,6 +114,8 @@ is shown.
 
 Always make sure there are no certificates installed you do not know or want!
 
+#### Installation of scripts
+
 All following commands will verify the server certificate. For validity the
 certificate's lifetime is checked with local time, so make sure the device's
 date and time is set correctly!

From bf684a7197f9ad07e23415de5779a366af7dd71b Mon Sep 17 00:00:00 2001
From: Christian Hesse <mail@eworm.de>
Date: Wed, 28 May 2025 15:08:26 +0200
Subject: [PATCH 3/3] global-functions: $CertificateAvailable: try to use
 builtin certificates

The builtin certificates were introduced with RouterOS 7.19, so requires
this hacky :parse workaround.
---
 global-functions.rsc | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/global-functions.rsc b/global-functions.rsc
index 55dbdee9..759b2744 100644
--- a/global-functions.rsc
+++ b/global-functions.rsc
@@ -119,6 +119,11 @@
     :return false;
   }
 
+  :if (([ /certificate/settings/get ]->"builtin-trust-anchors") = "trusted" && \
+       [[ :parse (":return [ :len [ /certificate/builtin/find where common-name=\"" . $CommonName . "\" ] ]") ]] > 0) do={
+    :return true;
+  }
+
   :if ([ :len [ /certificate/find where common-name=$CommonName ] ] = 0) do={
     $LogPrint info $0 ("Certificate with CommonName '" . $CommonName . "' not available.");
     :if ([ $CertificateDownload $CommonName ] = false) do={