## When rootstore is required

Rootstore configuration is **required** for LTV, LTVLITE, and LTVA signature levels. If you use only BES or T levels, this process is not necessary.

The rootstore allows the optimizer to validate certificate chains for each certificate involved in the signature. Without it, long-term validation signatures cannot be produced or verified correctly.

## Certificate format

Every certificate added to the rootstore must be in **PEM format**. PEM files use the following structure:


```
-----BEGIN CERTIFICATE-----
MIIIWjCCBkKgAwIBAgIIICfKLtFjrRMwDQYJKoZIhvcNAQELBQAwgbkxCzAJBgNV
...
-----END CERTIFICATE-----
```

The number of lines between the header and footer varies depending on the certificate. Each PEM file should contain a single certificate.

## Step 1: Load certificates into the optimizer

Place all PEM files in the following path on the host:


```
/opt/optimizer_docker/optimizer_data/localstore/
```

The optimizer reads certificates from this directory. Ensure the files have appropriate read permissions for the container.

## Step 2: Generate the rootstore

After placing the certificates, run the following command from the optimizer directory:


```bash
docker compose exec optimizer python -m optimizer generate-rootstore
```

This command generates the rootstore from all PEM files in the localstore directory.

## Step 3: Restart the service

Restart the SignBox services so the new rootstore is loaded:


```bash
docker compose restart
```

Or, for a full restart:


```bash
docker compose down
docker compose up -d
```

## Related documentation

- [LTV signatures](/products/namirialpkiaas/signbox/enterprise-documentation/products-and-modules/signatures/ltv-signatures) — Overview of LTV and LTVLITE signature types and when rootstore is required