Custom Certificates

May 18, 2026 · View on GitHub

简体中文

This module is based on AdGuard Certificate and custom-certificate-authorities. It is not compatible with those modules, so remove them before using this one.

To hide tmpfs traces that may be detected by some root detection apps, this module now supports meta-hybrid_mount. Install it first.

Warning All user certificates will be copied to the system store after reboot. Trust them at your own risk.

If you are using an older version of meta-hybrid_mount, you need to manually add apex to its partitions list, otherwise this module may not work properly.

Simple Usage

  1. Trust the certificate(s) you want to use.
  2. Reboot.

Advanced Usage

Use this only if the system notification bothers you.

  1. Trust the certificate(s) you want to use.
  2. Using a root file explorer, move the trusted subject_hash_old.N certificate file(s) from /data/misc/user/0/cacerts-added to /data/misc/user/0/cacerts-custom.
  3. Reboot.

WebUI

In KernelSU Manager, this module includes a built-in WebUI that can:

  1. List certificates from /data/misc/user/0/cacerts-custom and /data/misc/user/0/cacerts-added.
  2. Show parsed certificate details.
  3. Move certificates between these directories.
  4. Import PEM/DER certificates, convert them, and save them to the target certificate storage location.
  5. Permanently delete certificates.

Warning Directory changes are written immediately, but system trust changes still require a reboot to fully apply.

This lets you manage certificates without digging through the deeply hidden system settings menus.

Acknowledgements

Thanks to @peculiar/x509 and @abraham/reflection. They make it possible to parse and format certificate data in this environment, where the OpenSSL CLI is not available.