Add the CA certificate downloader tool
This can still be improved by decoding sub-CA certificates offline, and dropping their signatures.