====== Manage certificates ======

===== Synopsis =====

    certstore [--subject <subject>] [--keep] [<uri>]

===== Examples =====

=== Download a certificate to the certificate store ===

    certstore http://ca.ipxe.org/ca.crt

=== Download a certificate chain to the certificate store ===

    certstore http://ca.ipxe.org/cross/cross-digicert-global-root-ca.crts

===== Description =====

Add the specified certificates to the certificate store.  If a URI is specified, then it will be downloaded and treated as a PEM or DER-encoded certificate file.  The certificate file will be discarded after extracting the certificates unless the ''%%--keep%%'' option is specified.  If a subject name is specified, then only certificates matching the specified name will be added to the certificate store.

===== Command status =====

^ Success   | All specified certificates were successfully added to the store   |
^ Failure   | Some certificates were not successfully added to the store        |

===== See also =====

  * ''[[:cmd:certstat]]''
  * ''[[:cmd:certfree]]''
  * iPXE [[:crypto|cryptography]] guide
  * [[:cmd|List of all iPXE commands]]

===== Build options =====

This command is available only when the build option ''[[:buildcfg:CERT_CMD]]'' is enabled.

===== Notes =====

The ''%%--subject%%'' option will match against the certificate's Common Name and any Subject Alternative Names, if present.

Downloaded certificates will be marked as ''[EXPLICIT]'' in the output of the ''[[:cmd:certstat]]'' command.

Certificate files may include multiple PEM-encoded certificates.

You can use ''certstore'' as a manual alternative to the ''[[:cfg:crosscert]]'' mechanism, by explicitly downloading the required cross-signed certificate chain.  For example:

    certstore http://ca.ipxe.org/cross/cross-digicert-global-root-ca.crts

This can be useful if you are operating on a network without access to [[http://ca.ipxe.org/auto]], since you can use ''certstore'' to download a local copy of the certificate chain.