diff --git a/Cargo.lock b/Cargo.lock
index 0b14da4..31cff0e 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -299,14 +299,6 @@ version = "1.1.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "2aba8f4e9906c7ce3c73463f62a7f0c65183ada1a2d47e397cc8810827f9694f"
 
-[[package]]
-name = "certs-grabber"
-version = "0.1.0"
-dependencies = [
- "rustls-pki-types",
- "webpki-roots",
-]
-
 [[package]]
 name = "cfg-if"
 version = "1.0.0"
@@ -534,6 +526,7 @@ dependencies = [
  "hyper 1.4.1",
  "hyper-util-wasm",
  "js-sys",
+ "lazy_static",
  "parking_lot_core",
  "pin-project-lite",
  "ring",
@@ -545,6 +538,7 @@ dependencies = [
  "wasm-bindgen-futures",
  "wasm-streams",
  "web-sys",
+ "webpki-roots",
  "wisp-mux",
 ]
 
diff --git a/Cargo.toml b/Cargo.toml
index d7676dd..5cff12f 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -1,6 +1,6 @@
 [workspace]
 resolver = "2"
-members = ["server", "client", "wisp", "simple-wisp-client", "certs-grabber"]
+members = ["server", "client", "wisp", "simple-wisp-client"]
 
 [profile.release]
 lto = true
diff --git a/certs-grabber/Cargo.toml b/certs-grabber/Cargo.toml
deleted file mode 100644
index 8af161b..0000000
--- a/certs-grabber/Cargo.toml
+++ /dev/null
@@ -1,8 +0,0 @@
-[package]
-name = "certs-grabber"
-version = "0.1.0"
-edition = "2021"
-
-[dependencies]
-rustls-pki-types = "1.4.1"
-webpki-roots = "0.26.1"
diff --git a/certs-grabber/src/main.rs b/certs-grabber/src/main.rs
deleted file mode 100644
index b97f76b..0000000
--- a/certs-grabber/src/main.rs
+++ /dev/null
@@ -1,41 +0,0 @@
-use std::fmt::Write;
-
-use rustls_pki_types::TrustAnchor;
-
-fn main() {
-	let mut code = String::with_capacity(256 * 1_024);
-	code.push_str("const ROOTS = [");
-	for anchor in webpki_roots::TLS_SERVER_ROOTS {
-		let TrustAnchor {
-			subject,
-			subject_public_key_info,
-			name_constraints,
-		} = anchor;
-		code.write_fmt(format_args!(
-            "{{subject:new Uint8Array([{}]),subject_public_key_info:new Uint8Array([{}]),name_constraints:{}}},",
-            subject
-                .as_ref()
-                .iter()
-                .map(|x| x.to_string())
-                .collect::<Vec<String>>().join(","),
-            subject_public_key_info
-                .as_ref()
-                .iter()
-                .map(|x| x.to_string())
-                .collect::<Vec<String>>().join(","),
-            if let Some(constraints) = name_constraints {
-                format!("new Uint8Array([{}])",constraints
-                    .as_ref()
-                    .iter()
-                    .map(|x| x.to_string())
-                    .collect::<Vec<String>>().join(","))
-            } else {
-                "null".into()
-            }
-        ))
-        .unwrap();
-	}
-	code.pop();
-	code.push_str("];");
-	println!("{}", code);
-}
diff --git a/client/Cargo.toml b/client/Cargo.toml
index e8e5939..ef6a474 100644
--- a/client/Cargo.toml
+++ b/client/Cargo.toml
@@ -23,6 +23,7 @@ http-body-util = "0.1.2"
 hyper = "1.3.1"
 hyper-util-wasm = { git = "https://github.com/r58Playz/hyper-util-wasm", branch = "opinionated", version = "0.1.7", features = ["client-legacy", "http1"] }
 js-sys = "0.3.69"
+lazy_static = "1.5.0"
 pin-project-lite = "0.2.14"
 send_wrapper = "0.4.0"
 thiserror = "1.0.61"
@@ -31,6 +32,7 @@ wasm-bindgen = "0.2.92"
 wasm-bindgen-futures = "0.4.42"
 wasm-streams = "0.4.0"
 web-sys = { version = "0.3.69", features = ["BinaryType", "Headers", "MessageEvent", "Request", "RequestInit", "Response", "ResponseInit", "WebSocket"] }
+webpki-roots = "0.26.3"
 wisp-mux = { path = "../wisp", features = ["wasm"] }
 
 [dependencies.ring]
diff --git a/client/build.sh b/client/build.sh
index 817f9f8..70790aa 100755
--- a/client/build.sh
+++ b/client/build.sh
@@ -11,8 +11,14 @@ echo "[epx] cargo finished"
 wasm-bindgen --weak-refs --target no-modules --no-modules-global epoxy --out-dir out/ ../target/wasm32-unknown-unknown/release/epoxy_client.wasm
 echo "[epx] wasm-bindgen finished"
 
+if ! [ "${RELEASE:-0}" = "1" ]; then
+	WASMOPTFLAGS="-g"
+else
+	WASMOPTFLAGS=""
+fi
+
 mv out/epoxy_client_bg.wasm out/epoxy_client_unoptimized.wasm
-time wasm-opt -Oz --vacuum --dce --enable-threads --enable-bulk-memory out/epoxy_client_unoptimized.wasm -o out/epoxy_client_bg.wasm
+time wasm-opt $WASMOPTFLAGS -Oz --vacuum --dce --enable-threads --enable-bulk-memory out/epoxy_client_unoptimized.wasm -o out/epoxy_client_bg.wasm
 echo "[epx] wasm-opt finished"
 
 AUTOGENERATED_SOURCE=$(<"out/epoxy_client.js")
@@ -51,14 +57,5 @@ echo -e "}\ndeclare function epoxy(maybe_memory?: WebAssembly.Memory): Promise<t
 cp out/epoxy_client.d.ts pkg/epoxy.d.ts
 cp out/epoxy_client_bg.wasm pkg/epoxy.wasm
 
-echo "[epx] fetching certs" 
-(
-cd ../certs-grabber
-cargo run
-) > pkg/certs.js
-cat pkg/certs.js > pkg/certs-module.js
-echo "export default ROOTS;" >> pkg/certs-module.js
-echo "[epx] fetching certs finished" 
-
 rm -r out/
 echo "[epx] done!"
diff --git a/client/package.json b/client/package.json
index 3db0a83..c09a5d4 100644
--- a/client/package.json
+++ b/client/package.json
@@ -21,7 +21,6 @@
 	"license": "AGPL-3.0-only",
 	"exports": {
 		".": "./full/epoxy-module-bundled.js",
-		"./certs": "./full/certs-module.js",
 		"./epoxy": "./full/epoxy-module.js",
 		"./epoxy-bundled": "./full/epoxy-module-bundled.js",
 		"./minimal-epoxy": "./minimal/epoxy-module.js",
diff --git a/client/publish.sh b/client/publish.sh
index d0b6177..31ba73a 100755
--- a/client/publish.sh
+++ b/client/publish.sh
@@ -2,6 +2,8 @@
 set -euo pipefail
 shopt -s inherit_errexit
 
+export RELEASE=1
+
 rm -r full minimal || true
 
 cargo clean
diff --git a/client/src/lib.rs b/client/src/lib.rs
index d3c70e9..4c50829 100644
--- a/client/src/lib.rs
+++ b/client/src/lib.rs
@@ -224,7 +224,6 @@ impl EpoxyClient {
 	#[wasm_bindgen(constructor)]
 	pub fn new(
 		wisp_url: String,
-		certs: Array,
 		options: EpoxyClientOptions,
 	) -> Result<EpoxyClient, EpoxyError> {
 		let wisp_url: Uri = wisp_url.try_into()?;
@@ -232,7 +231,7 @@ impl EpoxyClient {
 			return Err(EpoxyError::InvalidUrlScheme);
 		}
 
-		let stream_provider = Arc::new(StreamProvider::new(wisp_url.to_string(), certs, &options)?);
+		let stream_provider = Arc::new(StreamProvider::new(wisp_url.to_string(), &options)?);
 
 		let service = StreamProviderService(stream_provider.clone());
 		let client = Client::builder(WasmExecutor)
diff --git a/client/src/stream_provider.rs b/client/src/stream_provider.rs
index 1e91686..ec6e394 100644
--- a/client/src/stream_provider.rs
+++ b/client/src/stream_provider.rs
@@ -10,11 +10,10 @@ use futures_util::{
 	AsyncRead, AsyncWrite, Future,
 };
 use hyper_util_wasm::client::legacy::connect::{ConnectSvc, Connected, Connection};
-use js_sys::{Array, Reflect, Uint8Array};
+use lazy_static::lazy_static;
 use pin_project_lite::pin_project;
-use rustls_pki_types::{Der, TrustAnchor};
-use wasm_bindgen::{JsCast, JsValue};
 use wasm_bindgen_futures::spawn_local;
+use webpki_roots::TLS_SERVER_ROOTS;
 use wisp_mux::{
 	extensions::{udp::UdpProtocolExtensionBuilder, ProtocolExtensionBuilder},
 	ClientMux, MuxStreamAsyncRW, MuxStreamIo, StreamType,
@@ -22,18 +21,15 @@ use wisp_mux::{
 
 use crate::{console_log, ws_wrapper::WebSocketWrapper, EpoxyClientOptions, EpoxyError};
 
-fn object_to_trustanchor(obj: JsValue) -> Result<TrustAnchor<'static>, JsValue> {
-	let subject: Uint8Array = Reflect::get(&obj, &"subject".into())?.dyn_into()?;
-	let pub_key_info: Uint8Array =
-		Reflect::get(&obj, &"subject_public_key_info".into())?.dyn_into()?;
-	let name_constraints: Option<Uint8Array> = Reflect::get(&obj, &"name_constraints".into())
-		.and_then(|x| x.dyn_into())
-		.ok();
-	Ok(TrustAnchor {
-		subject: Der::from(subject.to_vec()),
-		subject_public_key_info: Der::from(pub_key_info.to_vec()),
-		name_constraints: name_constraints.map(|x| Der::from(x.to_vec())),
-	})
+lazy_static! {
+	static ref CLIENT_CONFIG: Arc<ClientConfig> = {
+		let certstore = RootCertStore::from_iter(TLS_SERVER_ROOTS.iter().cloned());
+		Arc::new(
+			ClientConfig::builder()
+				.with_root_certificates(certstore)
+				.with_no_client_auth(),
+		)
+	};
 }
 
 pub struct StreamProvider {
@@ -43,8 +39,6 @@ pub struct StreamProvider {
 	udp_extension: bool,
 	websocket_protocols: Vec<String>,
 
-	client_config: Arc<ClientConfig>,
-
 	current_client: Arc<Mutex<Option<ClientMux>>>,
 }
 
@@ -54,27 +48,13 @@ pub type ProviderTlsAsyncRW = TlsStream<ProviderUnencryptedAsyncRW>;
 pub type ProviderAsyncRW = Either<ProviderTlsAsyncRW, ProviderUnencryptedAsyncRW>;
 
 impl StreamProvider {
-	pub fn new(
-		wisp_url: String,
-		certs: Array,
-		options: &EpoxyClientOptions,
-	) -> Result<Self, EpoxyError> {
-		let certs: Result<Vec<TrustAnchor>, JsValue> =
-			certs.iter().map(object_to_trustanchor).collect();
-		let certstore = RootCertStore::from_iter(certs.map_err(|_| EpoxyError::InvalidCertStore)?);
-		let client_config = Arc::new(
-			ClientConfig::builder()
-				.with_root_certificates(certstore)
-				.with_no_client_auth(),
-		);
-
+	pub fn new(wisp_url: String, options: &EpoxyClientOptions) -> Result<Self, EpoxyError> {
 		Ok(Self {
 			wisp_url,
 			current_client: Arc::new(Mutex::new(None)),
 			wisp_v2: options.wisp_v2,
 			udp_extension: options.udp_extension_required,
 			websocket_protocols: options.websocket_protocols.clone(),
-			client_config,
 		})
 	}
 
@@ -153,7 +133,7 @@ impl StreamProvider {
 		let stream = self
 			.get_asyncread(StreamType::Tcp, host.clone(), port)
 			.await?;
-		let connector = TlsConnector::from(self.client_config.clone());
+		let connector = TlsConnector::from(CLIENT_CONFIG.clone());
 		Ok(connector.connect(host.try_into()?, stream).await?.into())
 	}
 }