diff --git a/README.md b/README.md
index 5967a89..a63f92a 100644
--- a/README.md
+++ b/README.md
@@ -14,6 +14,7 @@ to manage RouterOS devices or extend their functionality.
   - [Table of Contents](#table-of-contents)
   - [Requirements](#requirements)
   - [Installation](#installation)
+    - [Prerequisites (a.k.a. Install certificates)](#prerequisites-aka-install-certificates)
     - [Initial Setup](#initial-setup)
     - [Adding a script](#adding-a-script)
   - [Available scripts](#available-scripts)
@@ -29,6 +30,36 @@ follow the instructions there for the basic installation and setup.
 
 ## Installation
 
+### Prerequisites (a.k.a. Install certificates)
+
+The update script does server certificate verification, so first step is to download the certificates. If you intend to download the scripts from a different location (for example from github.com) install the corresponding certificate chain.
+
+```rsc
+/tool/fetch "https://letsencrypt.org/certs/isrgrootx1.pem" dst-path="isrgrootx1.pem";
+```
+
+Note that the commands above do not verify server certificate, so if you want to be safe download with your workstations's browser and transfer the file to your MikroTik device.
+
+- [ISRG Root X1](https://letsencrypt.org/certificates/)
+  - You'll need the ISRG Root X1 (self-signed) certificate in pem format
+
+Then we import the certificate.
+
+```rsc
+/certificate/import file-name=isrgrootx1.pem passphrase="";
+```
+
+Do not worry that the command is not shown - that happens because it contains a sensitive property, the passphrase.
+
+For basic verification we rename the certificate and print it by fingerprint. Make sure exactly this one certificate ("ISRG-Root-X1") is shown.
+
+/certificate/set name="ISRG-Root-X1" [ find where common-name="ISRG Root X1" ];
+/certificate/print proplist=name,fingerprint where fingerprint="96bcec06264976f37460779acf28c5a7cfe8a3c0aae11a8ffcee05c0bddf08c6";
+
+Always make sure there are no certificates installed you do not know or want!
+
+All following commands will verify the server certificate. For validity the certificate's lifetime is checked with local time, so make sure the device's date and time is set correctly!
+
 ### Initial Setup
 
 Download the `global-functions-custom-phg.rsc` script:
diff --git a/global-functions-custom-phg.rsc b/global-functions-custom-phg.rsc
index fd994f4..f4f1c52 100644
--- a/global-functions-custom-phg.rsc
+++ b/global-functions-custom-phg.rsc
@@ -14,26 +14,27 @@
 :global GlobalFunctionsCustomPhgReady false;
 
 # global functions
-:global SafelyResolve
+:global SafeResolve
 
 # Function: safelyResolve
 #  - Takes a DNS string (e.g. "example.com")
 #  - Takes an IP type [ipv4, ipv6]
 #  - Returns a string of and IP address or false if it can't be resolved
-:set SafelyResolve do={
+:set SafeResolve do={
   :do {
     :local DomainName [ :tostr $1 ];
-    :if ( [ :tostr $2 ] = "ipv4" or [ :tostr $2 ] = "ipv6" ) do={
-      :local IPType [ :tostr $2 ];
+    :local IPType;
+    :if ( ([ :tostr $2 ] = "ipv4") or ([ :tostr $2 ] = "ipv6") ) do={
+      :set IPType [ :tostr $2 ];
     } else={
-      :local IPType "ipv4";
+      :global ExitError; $ExitError false $0;
     }
-    :local IP [:resolve domain-name="$DomainName" type=$IPType];
-    :return "$IP";
+    :local ResolvedIP [:resolve domain-name="$DomainName" type=$IPType];
+    :return "$ResolvedIP";
   } on-error={
-    return false;
+    :return false;
   }
 }
 
 # signal we are ready
-:set GlobalFunctionsCustomPhgReady true;
\ No newline at end of file
+:set GlobalFunctionsCustomPhgReady true;