How to Remove Xiaomi CS Certificates: A Complete Guide

Owning an Android device, especially from Xiaomi, often involves intrusive system constraints and embedded advertising. One of the key mechanisms that ensure these features work, and protect the integrity of the software shell, are Certificate Authority (CS) certificates. Deletion or deactivation may be required by advanced users who want to fully customize the system and improve privacy.

Interfering with system certificates is not a trivial task and requires a deep understanding of the MIUI and HyperOS architecture. The standard settings menu means that you cannot remove root system certificates because they are protected by superuser rights, which is why you need root rights obtained through tools like Magisk or KernelSU to perform this operation.

It is important to understand that any manipulation of system files carries potential risks. Incorrect removal of critical certificates can lead to malfunctioning of banking applications, failures in updating the system or complete failure of the device to boot. Deleting certificates marked as system (System), without creating a full backup, may require a flashing device.

What are root certificates and why remove them

Root CAs are digital identities that serve as the basis for trust in the operating system. They authenticate sites, applications, and system services. In the context of Xiaomi devices, these certificates are used not only for security, but also to verify the system components that run the GetApps app store, cloud services, and ad modules.

The main reason why enthusiasts are seeking to remove or block certain CA certificates is to stop collecting telemetry. System services send location, application usage and search queries to the company's servers. Blocking the relevant certificates breaks the chain of trust, and the system can no longer safely transfer this data because it "does not recognize" the recipient's server.

In addition, deletion of certificates is often necessary to install modified versions of system applications or custom firmware that do not have an official Xiaomi digital signature. Without edits to the key store, the system will block the launch of such software, considering it potentially dangerous.

  • πŸ”’ Blocking system advertising and trackers at the certificate level.
  • πŸ›  Possibility of installing modified system components.
  • πŸ“‰ Reducing the load on the processor by disabling background telemetry services.
  • πŸ” Increased privacy by breaking the connection to analytics servers.
πŸ“Š Should a user delete the system certificates?
No, it's dangerous.
Yeah, for commercials.
Developers only
I don't know.

Training and tools required

Before you start deleting or modifying the key store directly, you need to prepare a work environment. A standard file manager is not suitable for working with system partitions. You need specialized software that can work with superuser rights and mount the /system partition in write mode.

A mandatory requirement is the availability of an unlocked bootloader. Without this step, obtaining superuser rights is impossible. It is also critical to make a full backup of data, including the boot and recovery section. In case of an error, you should be able to roll back to the operating state of the device.

To work, you’ll need a computer with ADB and Fastboot drivers installed, and a USB cable with a high-quality screening. An unstable connection can interrupt the file transfer process, which will damage the file system.

β˜‘οΈ Preparation for the removal of certificates

Done: 0 / 4

Do not attempt to operate system files with a battery charge of less than 60%. A sudden power outage at the time of writing system files can lead to a "bricking" of the device that cannot be restored by software methods.

Step-by-step instructions for removing certificates

Xiaomi CS certificate removal requires care, and we will use a root-enabled file manager, which is the most visible method, allowing you to control each step. The alternative method through ADB is more complex and requires accurate knowledge of file names.

First, you need to access hidden system folders. Open your root file manager and activate System Partition or Mount System mode. Find a directory where user and system certificates are stored. Usually this is the path /system/etc/security/cacerts or /data/misc/keychain.

⚠️ Note: Before deleting any file from the cacerts folder, copy it to a secure location on internal memory or to the cloud. The file name is usually a hash, so without a copy, it will be impossible to restore a particular certificate.

Find certificates related to Xiaomi domains (e.g., those containing miui, xiaomi, ad in name or properties). Be careful not to remove certificates with names you are not familiar with if they are standard for Android (e.g., Google certificates or Let's Encrypt), as this will disrupt the Internet and stores.

adb shell


su




cd /system/etc/security/cacerts




ls -l | grep xiaomi

After deleting or renaming the target files (it is recommended to change the extension to.bak), you need to restart the device. The first start may take more than usual, as the system will recalculate hash amounts and check the integrity of the files.

What to do if the phone goes into a cyclical reboot?
If the device does not boot after deleting the certificates, you need to go to Recovery mode (usually by pressing the volume button up and power). Cache/Dalvik Or, in the worst case, restore the backup through TWRP. If there is no backup, only flashing through Fastboot will help.

Using Magisk Modules to Block

A safer and more modern method than direct editing of system files is using modules for Magisk, which works on the principle of "Systemless", that is, does not change the system partition directly, and it makes it easy to roll back all changes by simply removing the module.

There are specialized modules, such as Universal SafetyNet Fix or Xiaomi telemetry removal modules (such as MIUI-AD-Blocker), that automatically implement lock rules and manage certificates. They substitute system responses or block requests to specific CCs at the boot level of the system.

MethodDifficultyRisk of errorPossibility of rollback
Manual deletion of filesTall.High-pitchedOnly through the backup.
Magisk modulesMediumLow.Instant.
ADB teamTall.Medium.Difficult.

To install the module, download the.zip archive from a trusted source (such as the 4PDA or XDA forum). Open the Magisk app, go to the Modules section and click "Install from storage" or select the downloaded file. After installation, restart your smartphone.

πŸ’‘

Use the Systemless Hosts module in Magisk settings to block Xiaomi ad domains through the hosts file without touching the certificates themselves. This is often more efficient and safer.

Possible problems and ways to solve them

When deleting CC certificates, users often face a number of common problems, the most common being the loss of Internet access in individual applications, which occurs when an application tries to establish a secure connection but cannot verify the server due to the lack of a root certificate.

Another problem is the occurrence of errors "Certificate not trusted" when visiting sites, which indicates that the system-wide certificate necessary for the operation of SSL/TLS protocols was deleted, in which case you need to restore deleted files from the backup.

If banking applications or Google Pay (Wallet) are no longer working, the system may have detected a breach of integrity or lack of necessary security keys, and may require root-rights concealment modules such as Zygisk and Shamiko.

⚠️ Note: Some banking applications may not work properly even after the certificates are restored if they detect signs of interference with system files, in which case only a full reset (Wipe Data) or stock firmware reflashing will help.

Users may also notice an increase in battery consumption in the first hours after the change, actively logging connection errors to try to reach blocked services, usually by themselves within a day or after cleaning logs.

Alternative methods of advertising blocking and surveillance

Removing certificates is not the only, or always the best way to deal with Xiaomi’s restrictions. DNS-Filtering. Set up a private DNS (For example, AdGuard. DNS or DNS66) Allows you to block advertising requests at the network level without affecting system files.

To do this, go to network settings: Settings β†’ Connection and Sharing β†’ Private DNS. Enter the address of the blocker server. This method is secure, reversible and does not require superuser rights, although it is less effective against embedded advertising in system applications.

Another option is to use local VPN-Apps like Blokada or AdGuard create a local tunnel and check all outgoing requests. If a request goes to a known ad server, it is blocked.

πŸ’‘

Use of the DNS-Filtering is the safest alternative to removing system certificates for ordinary users who do not want to risk the stability of the system.

The choice of method depends on your goals, and if you want maximum privacy and you're willing to spend time debugging the system, removing certificates and using Magisk modules will be the best choice. If the goal is just to remove ads, start with DNS.

Can I remove the certificates without root rights?
You can only delete user certificates that you have manually installed. /system/etc/security/cacerts require superuser rights to access the system storage.
What happens if you delete the Google certificate?
Removing Google’s root certificates will render most of the company’s services inoperable: Play Market, YouTube, Gmail and maps will no longer connect to the network, and it will be extremely difficult to restore work without resetting or flashing it.
Does that affect the guarantee?
By itself, removing files through root does not leave any physical traces, but the fact that the bootloader is unlocked (necessary for obtaining root) officially voids the warranty in many regions, and when they contact the service center, they can detect a modified system partition.
How do you get it back?
If you backed up your files before deleting them, just rename the files back (remove the.bak extension) and reboot. If you used the Magisk module, delete it through the Magisk app. If the system doesn't boot, only TWRP and backup recovery will help.