Note that CERTS.IDX file is generated on-chip

libraries/ESP8266WiFi/examples/BearSSL_CertStore/BearSSL_CertStore.ino

@@ -2,8 +2,11 @@
 //
 // Before running, you must download the set of certs using
 // the script "certs-from-mozilla.py" (no parameters)
-// and then uploading the generated data directory to
-// SPIFFS.
+// and then uploading the generated .AR file to SPIFFS or SD.
+//
+// You do not need to generate the ".IDX" file listed below,
+// it is generated automatically when the CertStore object
+// is created and written to SD or SPIFFS by the ESP8266.
 //
 // Why would you need a CertStore?
 //
@@ -19,7 +22,7 @@
 // 10s or 100s of CAs against which you can check the
 // target's X.509, without taking any more RAM than a single
 // certificate.  This is the same way that standard browsers
-// and operating systems use to verify SSL connections.
+// and operating systems verify SSL connections.
 //
 // About the chosen certs:
 // The certificates are scraped from the Mozilla.org current
@@ -82,8 +85,8 @@ class SDCertStoreFile : public BearSSL::CertStoreFile {
     const char *_name;
 };
 
-SDCertStoreFile certs_idx("/certs.idx");
-SDCertStoreFile certs_ar("/certs.ar");
+SDCertStoreFile certs_idx("/certs.idx"); // Generated by the ESP8266
+SDCertStoreFile certs_ar("/certs.ar"); // Uploaded by the user
 
 #else
 
@@ -118,8 +121,9 @@ class SPIFFSCertStoreFile : public BearSSL::CertStoreFile {
     const char *_name;
 };
 
-SPIFFSCertStoreFile certs_idx("/certs.idx");
-SPIFFSCertStoreFile certs_ar("/certs.ar");
+SPIFFSCertStoreFile certs_idx("/certs.idx"); // Generated by the ESP8266
+SPIFFSCertStoreFile certs_ar("/certs.ar"); // Uploaded by the user
+
 #endif
 
 // Set time via NTP, as required for x.509 validation