## When rootstore is required

Rootstore configuration is **required** for **LTV** and **LTVLITE** signature levels. If you do not use these levels, this process is not necessary.

The rootstore allows the Optimizer to include and validate the full chain of trust for each certificate involved in the signature. Without it, long-term validation signatures cannot be produced or verified correctly.

## Certificate format

Every certificate added to the rootstore must be in **PEM format**. Example:


```
-----BEGIN CERTIFICATE-----
MIIIWjCCBkKgAwIBAgIIICfKLtFjrRMwDQYJKoZIhvcNAQELBQAwgbkxCzAJBgNV
...
-----END CERTIFICATE-----
```

The number of lines between the header and footer depends on the certificate. Each PEM file should contain a single certificate.

## Step 1: Load certificates into the Optimizer

Place all PEM files in the following path on the host:


```
/opt/optimizer_docker/optimizer_data/localstore/
```

(or the equivalent path where your Optimizer data volume is mounted).

## Step 2: Generate rootstore

After loading all desired certificates, run the following command **inside the optimizer container**:


```bash
docker compose exec optimizer python -m optimizer generate-rootstore
```

This updates the rootstore used by the Optimizer for LTV/LTVLITE signatures. Restart the Optimizer if required by your deployment (e.g. `docker-compose restart`).

## Related documentation

- [Configuration overview](/products/namirialpkiaas/one-shot/enterprise-documentation/administrator-guides/configuration/overview)
- [LTV/LTVLITE](https://cdn.developers.uanataca.com/oneshot/) — Refer to the One-Shot API documentation for signature level details