All reference I have found recommend downloading and storing the certificate in your bundle. I would not suggest downloading it on the fly.
The repository you refer to recommends it:
I scoured the Apple Docs, tutorials and many sample repositories while working out my own solution and never considered downloading it on device. It seems an obvious point of attack. The idea is that you can be positive that the certificate is valid at the point of shipping, if you download on the fly you cannot be 100% sure where it came from.