I just installed 7.19 on my RB5009, and the new root certificates store works well for NextDNS. In looking at the list of built in certificates, it seems like Mikrotik only included a few. I am curious why they didn’t include, say, all certificates currently trusted by Mozilla. How did they decide which ones to include?
Also, what is the mechanism for updating the built-in store? Is it only updated when ROS is updated?
It is probably a compromise to keep the routeros package small. Mikrotik still supports 16MB flash devices.
Well, that’s a stretched statement 
I suppose I’m mostly curious how they settled on the certificates they included. Also it would be nice to have the option to update the certificate store periodically, or to choose between the slimmed down store and a more full one that includes everything Mozilla trusts, for example.
The free space difference on my routers between 7.18.2 with all “Mozilla” CA certificates (140+ certs from CCADB.org) installed and 7.19 with only the built-in CA is about 1MB. Space is definitely one of reasons.
And not all those 140+ root CA certs from the CCADB bundle are really needed. All the GTS ones (from Google) for example, are also signed by other CA that are in the RouterOS trusted list. The Windows trusted CA store has fewer than 70 valid entries, and that include CA needed for Authenticode (code signing).