diff --git a/Cargo.toml b/Cargo.toml
index ca5b7170..ebc3ec63 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -14,7 +14,7 @@ exclude = ["/.github", "/examples", "/scripts"]
 
 [dependencies]
 tokio = "1.0"
-rustls = { version = "0.21.6", default-features = false }
+rustls = { version = "=0.22.0-alpha.2", default-features = false }
 
 [features]
 default = ["logging", "tls12"]
@@ -29,6 +29,6 @@ argh = "0.1"
 tokio = { version = "1.0", features = ["full"] }
 futures-util = "0.3.1"
 lazy_static = "1"
-webpki-roots = "0.25"
-rustls-pemfile = "1"
-webpki = { package = "rustls-webpki", version = "0.101.2", features = ["alloc", "std"] }
+webpki-roots = "=0.26.0-alpha.1"
+rustls-pemfile = "=2.0.0-alpha.1"
+webpki = { package = "rustls-webpki", version = "=0.102.0-alpha.2", features = ["alloc", "std"] }
diff --git a/examples/client.rs b/examples/client.rs
index 3b6eb0f6..193f0133 100644
--- a/examples/client.rs
+++ b/examples/client.rs
@@ -8,7 +8,6 @@ use std::sync::Arc;
 use argh::FromArgs;
 use tokio::io::{copy, split, stdin as tokio_stdin, stdout as tokio_stdout, AsyncWriteExt};
 use tokio::net::TcpStream;
-use tokio_rustls::rustls::{self, OwnedTrustAnchor};
 use tokio_rustls::TlsConnector;
 
 /// Tokio Rustls client example
@@ -45,24 +44,11 @@ async fn main() -> io::Result<()> {
     let mut root_cert_store = rustls::RootCertStore::empty();
     if let Some(cafile) = &options.cafile {
         let mut pem = BufReader::new(File::open(cafile)?);
-        let certs = rustls_pemfile::certs(&mut pem)?;
-        let trust_anchors = certs.iter().map(|cert| {
-            let ta = webpki::TrustAnchor::try_from_cert_der(&cert[..]).unwrap();
-            OwnedTrustAnchor::from_subject_spki_name_constraints(
-                ta.subject,
-                ta.spki,
-                ta.name_constraints,
-            )
-        });
-        root_cert_store.add_trust_anchors(trust_anchors);
+        for cert in rustls_pemfile::certs(&mut pem) {
+            root_cert_store.add(cert?).unwrap();
+        }
     } else {
-        root_cert_store.add_trust_anchors(webpki_roots::TLS_SERVER_ROOTS.iter().map(|ta| {
-            OwnedTrustAnchor::from_subject_spki_name_constraints(
-                ta.subject,
-                ta.spki,
-                ta.name_constraints,
-            )
-        }));
+        root_cert_store.add_trust_anchors(webpki_roots::TLS_SERVER_ROOTS.iter().cloned());
     }
 
     let config = rustls::ClientConfig::builder()
diff --git a/examples/server.rs b/examples/server.rs
index 94dcc405..b81b76c3 100644
--- a/examples/server.rs
+++ b/examples/server.rs
@@ -8,8 +8,8 @@ use argh::FromArgs;
 use rustls_pemfile::{certs, rsa_private_keys};
 use tokio::io::{copy, sink, split, AsyncWriteExt};
 use tokio::net::TcpListener;
-use tokio_rustls::rustls::{self, Certificate, PrivateKey};
 use tokio_rustls::TlsAcceptor;
+use webpki::types::{CertificateDer, PrivateKeyDer};
 
 /// Tokio Rustls server example
 #[derive(FromArgs)]
@@ -31,16 +31,15 @@ struct Options {
     echo_mode: bool,
 }
 
-fn load_certs(path: &Path) -> io::Result<Vec<Certificate>> {
-    certs(&mut BufReader::new(File::open(path)?))
-        .map_err(|_| io::Error::new(io::ErrorKind::InvalidInput, "invalid cert"))
-        .map(|mut certs| certs.drain(..).map(Certificate).collect())
+fn load_certs(path: &Path) -> io::Result<Vec<CertificateDer<'static>>> {
+    certs(&mut BufReader::new(File::open(path)?)).collect()
 }
 
-fn load_keys(path: &Path) -> io::Result<Vec<PrivateKey>> {
+fn load_keys(path: &Path) -> io::Result<PrivateKeyDer<'static>> {
     rsa_private_keys(&mut BufReader::new(File::open(path)?))
-        .map_err(|_| io::Error::new(io::ErrorKind::InvalidInput, "invalid key"))
-        .map(|mut keys| keys.drain(..).map(PrivateKey).collect())
+        .next()
+        .unwrap()
+        .map(Into::into)
 }
 
 #[tokio::main]
@@ -53,13 +52,13 @@ async fn main() -> io::Result<()> {
         .next()
         .ok_or_else(|| io::Error::from(io::ErrorKind::AddrNotAvailable))?;
     let certs = load_certs(&options.cert)?;
-    let mut keys = load_keys(&options.key)?;
+    let key = load_keys(&options.key)?;
     let flag_echo = options.echo_mode;
 
     let config = rustls::ServerConfig::builder()
         .with_safe_defaults()
         .with_no_client_auth()
-        .with_single_cert(certs, keys.remove(0))
+        .with_single_cert(certs, key)
         .map_err(|err| io::Error::new(io::ErrorKind::InvalidInput, err))?;
     let acceptor = TlsAcceptor::from(Arc::new(config));
 
diff --git a/src/lib.rs b/src/lib.rs
index e39ee353..3045d927 100644
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -47,6 +47,7 @@ use std::sync::Arc;
 use std::task::{Context, Poll};
 
 pub use rustls;
+use rustls::crypto::ring::Ring;
 use rustls::{ClientConfig, ClientConnection, CommonState, ServerConfig, ServerConnection};
 use tokio::io::{AsyncRead, AsyncWrite, ReadBuf};
 
@@ -67,7 +68,7 @@ pub mod server;
 /// A wrapper around a `rustls::ClientConfig`, providing an async `connect` method.
 #[derive(Clone)]
 pub struct TlsConnector {
-    inner: Arc<ClientConfig>,
+    inner: Arc<ClientConfig<Ring>>,
     #[cfg(feature = "early-data")]
     early_data: bool,
 }
@@ -75,11 +76,11 @@ pub struct TlsConnector {
 /// A wrapper around a `rustls::ServerConfig`, providing an async `accept` method.
 #[derive(Clone)]
 pub struct TlsAcceptor {
-    inner: Arc<ServerConfig>,
+    inner: Arc<ServerConfig<Ring>>,
 }
 
-impl From<Arc<ClientConfig>> for TlsConnector {
-    fn from(inner: Arc<ClientConfig>) -> TlsConnector {
+impl From<Arc<ClientConfig<Ring>>> for TlsConnector {
+    fn from(inner: Arc<ClientConfig<Ring>>) -> TlsConnector {
         TlsConnector {
             inner,
             #[cfg(feature = "early-data")]
@@ -88,8 +89,8 @@ impl From<Arc<ClientConfig>> for TlsConnector {
     }
 }
 
-impl From<Arc<ServerConfig>> for TlsAcceptor {
-    fn from(inner: Arc<ServerConfig>) -> TlsAcceptor {
+impl From<Arc<ServerConfig<Ring>>> for TlsAcceptor {
+    fn from(inner: Arc<ServerConfig<Ring>>) -> TlsAcceptor {
         TlsAcceptor { inner }
     }
 }
@@ -210,9 +211,10 @@ where
     /// # Example
     ///
     /// ```no_run
+    /// # use rustls::crypto::ring::Ring;
     /// # fn choose_server_config(
     /// #     _: rustls::server::ClientHello,
-    /// # ) -> std::sync::Arc<rustls::ServerConfig> {
+    /// # ) -> std::sync::Arc<rustls::ServerConfig<Ring>> {
     /// #     unimplemented!();
     /// # }
     /// # #[allow(unused_variables)]
@@ -304,11 +306,11 @@ where
         self.accepted.client_hello()
     }
 
-    pub fn into_stream(self, config: Arc<ServerConfig>) -> Accept<IO> {
+    pub fn into_stream(self, config: Arc<ServerConfig<Ring>>) -> Accept<IO> {
         self.into_stream_with(config, |_| ())
     }
 
-    pub fn into_stream_with<F>(self, config: Arc<ServerConfig>, f: F) -> Accept<IO>
+    pub fn into_stream_with<F>(self, config: Arc<ServerConfig<Ring>>, f: F) -> Accept<IO>
     where
         F: FnOnce(&mut ServerConnection),
     {
diff --git a/tests/badssl.rs b/tests/badssl.rs
index a130b6c8..21afdefa 100644
--- a/tests/badssl.rs
+++ b/tests/badssl.rs
@@ -2,16 +2,17 @@ use std::io;
 use std::net::ToSocketAddrs;
 use std::sync::Arc;
 
+use rustls::crypto::ring::Ring;
 use tokio::io::{AsyncReadExt, AsyncWriteExt};
 use tokio::net::TcpStream;
 use tokio_rustls::{
     client::TlsStream,
-    rustls::{self, ClientConfig, OwnedTrustAnchor},
+    rustls::{self, ClientConfig},
     TlsConnector,
 };
 
 async fn get(
-    config: Arc<ClientConfig>,
+    config: Arc<ClientConfig<Ring>>,
     domain: &str,
     port: u16,
 ) -> io::Result<(TlsStream<TcpStream>, String)> {
@@ -34,13 +35,7 @@ async fn get(
 #[tokio::test]
 async fn test_tls12() -> io::Result<()> {
     let mut root_store = rustls::RootCertStore::empty();
-    root_store.add_trust_anchors(webpki_roots::TLS_SERVER_ROOTS.iter().map(|ta| {
-        OwnedTrustAnchor::from_subject_spki_name_constraints(
-            ta.subject,
-            ta.spki,
-            ta.name_constraints,
-        )
-    }));
+    root_store.add_trust_anchors(webpki_roots::TLS_SERVER_ROOTS.iter().cloned());
     let config = rustls::ClientConfig::builder()
         .with_safe_default_cipher_suites()
         .with_safe_default_kx_groups()
@@ -72,13 +67,7 @@ fn test_tls13() {
 #[tokio::test]
 async fn test_modern() -> io::Result<()> {
     let mut root_store = rustls::RootCertStore::empty();
-    root_store.add_trust_anchors(webpki_roots::TLS_SERVER_ROOTS.iter().map(|ta| {
-        OwnedTrustAnchor::from_subject_spki_name_constraints(
-            ta.subject,
-            ta.spki,
-            ta.name_constraints,
-        )
-    }));
+    root_store.add_trust_anchors(webpki_roots::TLS_SERVER_ROOTS.iter().cloned());
     let config = rustls::ClientConfig::builder()
         .with_safe_defaults()
         .with_root_certificates(root_store)
diff --git a/tests/early-data.rs b/tests/early-data.rs
index 9d83bcca..dc44e29d 100644
--- a/tests/early-data.rs
+++ b/tests/early-data.rs
@@ -10,16 +10,13 @@ use std::thread;
 use std::time::Duration;
 
 use futures_util::{future, future::Future, ready};
-use rustls::RootCertStore;
+use rustls::crypto::ring::Ring;
+use rustls::{self, ClientConfig, RootCertStore};
 use tokio::io::{split, AsyncRead, AsyncWriteExt, ReadBuf};
 use tokio::net::TcpStream;
 use tokio::sync::oneshot;
 use tokio::time::sleep;
-use tokio_rustls::{
-    client::TlsStream,
-    rustls::{self, ClientConfig, OwnedTrustAnchor},
-    TlsConnector,
-};
+use tokio_rustls::{client::TlsStream, TlsConnector};
 
 struct Read1<T>(T);
 
@@ -42,7 +39,7 @@ impl<T: AsyncRead + Unpin> Future for Read1<T> {
 }
 
 async fn send(
-    config: Arc<ClientConfig>,
+    config: Arc<ClientConfig<Ring>>,
     addr: SocketAddr,
     data: &[u8],
 ) -> io::Result<TlsStream<TcpStream>> {
@@ -132,17 +129,11 @@ async fn test_0rtt() -> io::Result<()> {
     wait_for_server(format!("127.0.0.1:{}", server_port).as_str()).await;
 
     let mut chain = BufReader::new(Cursor::new(include_str!("end.chain")));
-    let certs = rustls_pemfile::certs(&mut chain).unwrap();
-    let trust_anchors = certs.iter().map(|cert| {
-        let ta = webpki::TrustAnchor::try_from_cert_der(&cert[..]).unwrap();
-        OwnedTrustAnchor::from_subject_spki_name_constraints(
-            ta.subject,
-            ta.spki,
-            ta.name_constraints,
-        )
-    });
     let mut root_store = RootCertStore::empty();
-    root_store.add_trust_anchors(trust_anchors);
+    for cert in rustls_pemfile::certs(&mut chain) {
+        root_store.add(cert.unwrap()).unwrap();
+    }
+
     let mut config = rustls::ClientConfig::builder()
         .with_safe_default_cipher_suites()
         .with_safe_default_kx_groups()
diff --git a/tests/test.rs b/tests/test.rs
index 9f83db8d..8f9699b8 100644
--- a/tests/test.rs
+++ b/tests/test.rs
@@ -7,7 +7,8 @@ use std::{io, thread};
 
 use futures_util::future::TryFutureExt;
 use lazy_static::lazy_static;
-use rustls::{ClientConfig, OwnedTrustAnchor};
+use rustls::crypto::ring::Ring;
+use rustls::ClientConfig;
 use rustls_pemfile::{certs, rsa_private_keys};
 use tokio::io::{copy, split, AsyncReadExt, AsyncWriteExt};
 use tokio::net::{TcpListener, TcpStream};
@@ -22,17 +23,17 @@ const RSA: &str = include_str!("end.rsa");
 lazy_static! {
     static ref TEST_SERVER: (SocketAddr, &'static str, &'static [u8]) = {
         let cert = certs(&mut BufReader::new(Cursor::new(CERT)))
-            .unwrap()
-            .drain(..)
-            .map(rustls::Certificate)
+            .map(|result| result.unwrap())
             .collect();
-        let mut keys = rsa_private_keys(&mut BufReader::new(Cursor::new(RSA))).unwrap();
-        let mut keys = keys.drain(..).map(rustls::PrivateKey);
+        let key = rsa_private_keys(&mut BufReader::new(Cursor::new(RSA)))
+            .next()
+            .unwrap()
+            .unwrap();
 
         let config = rustls::ServerConfig::builder()
             .with_safe_defaults()
             .with_no_client_auth()
-            .with_single_cert(cert, keys.next().unwrap())
+            .with_single_cert(cert, key.into())
             .unwrap();
         let acceptor = TlsAcceptor::from(Arc::new(config));
 
@@ -83,7 +84,11 @@ fn start_server() -> &'static (SocketAddr, &'static str, &'static [u8]) {
     &TEST_SERVER
 }
 
-async fn start_client(addr: SocketAddr, domain: &str, config: Arc<ClientConfig>) -> io::Result<()> {
+async fn start_client(
+    addr: SocketAddr,
+    domain: &str,
+    config: Arc<ClientConfig<Ring>>,
+) -> io::Result<()> {
     const FILE: &[u8] = include_bytes!("../README.md");
 
     let domain = rustls::ServerName::try_from(domain).unwrap();
@@ -111,16 +116,10 @@ async fn pass() -> io::Result<()> {
     use std::time::*;
     tokio::time::sleep(Duration::from_secs(1)).await;
 
-    let chain = certs(&mut std::io::Cursor::new(*chain)).unwrap();
     let mut root_store = rustls::RootCertStore::empty();
-    root_store.add_trust_anchors(chain.iter().map(|cert| {
-        let ta = webpki::TrustAnchor::try_from_cert_der(&cert[..]).unwrap();
-        OwnedTrustAnchor::from_subject_spki_name_constraints(
-            ta.subject,
-            ta.spki,
-            ta.name_constraints,
-        )
-    }));
+    for cert in certs(&mut std::io::Cursor::new(*chain)) {
+        root_store.add(cert.unwrap()).unwrap();
+    }
 
     let config = rustls::ClientConfig::builder()
         .with_safe_defaults()
@@ -137,16 +136,10 @@ async fn pass() -> io::Result<()> {
 async fn fail() -> io::Result<()> {
     let (addr, domain, chain) = start_server();
 
-    let chain = certs(&mut std::io::Cursor::new(*chain)).unwrap();
     let mut root_store = rustls::RootCertStore::empty();
-    root_store.add_trust_anchors(chain.iter().map(|cert| {
-        let ta = webpki::TrustAnchor::try_from_cert_der(&cert[..]).unwrap();
-        OwnedTrustAnchor::from_subject_spki_name_constraints(
-            ta.subject,
-            ta.spki,
-            ta.name_constraints,
-        )
-    }));
+    for cert in certs(&mut std::io::Cursor::new(*chain)) {
+        root_store.add(cert.unwrap()).unwrap();
+    }
 
     let config = rustls::ClientConfig::builder()
         .with_safe_defaults()
diff --git a/tests/utils.rs b/tests/utils.rs
index 8e8237f9..ae916f03 100644
--- a/tests/utils.rs
+++ b/tests/utils.rs
@@ -2,39 +2,34 @@ mod utils {
     use std::io::{BufReader, Cursor};
     use std::sync::Arc;
 
-    use rustls::{ClientConfig, OwnedTrustAnchor, PrivateKey, RootCertStore, ServerConfig};
+    use rustls::crypto::ring::Ring;
+    use rustls::{ClientConfig, RootCertStore, ServerConfig};
     use rustls_pemfile::{certs, rsa_private_keys};
 
     #[allow(dead_code)]
-    pub fn make_configs() -> (Arc<ServerConfig>, Arc<ClientConfig>) {
+    pub fn make_configs() -> (Arc<ServerConfig<Ring>>, Arc<ClientConfig<Ring>>) {
         const CERT: &str = include_str!("end.cert");
         const CHAIN: &str = include_str!("end.chain");
         const RSA: &str = include_str!("end.rsa");
 
         let cert = certs(&mut BufReader::new(Cursor::new(CERT)))
-            .unwrap()
-            .drain(..)
-            .map(rustls::Certificate)
+            .map(|result| result.unwrap())
             .collect();
-        let mut keys = rsa_private_keys(&mut BufReader::new(Cursor::new(RSA))).unwrap();
-        let mut keys = keys.drain(..).map(PrivateKey);
+        let key = rsa_private_keys(&mut BufReader::new(Cursor::new(RSA)))
+            .next()
+            .unwrap()
+            .unwrap();
         let sconfig = ServerConfig::builder()
             .with_safe_defaults()
             .with_no_client_auth()
-            .with_single_cert(cert, keys.next().unwrap())
+            .with_single_cert(cert, key.into())
             .unwrap();
 
         let mut client_root_cert_store = RootCertStore::empty();
         let mut chain = BufReader::new(Cursor::new(CHAIN));
-        let certs = certs(&mut chain).unwrap();
-        client_root_cert_store.add_trust_anchors(certs.iter().map(|cert| {
-            let ta = webpki::TrustAnchor::try_from_cert_der(&cert[..]).unwrap();
-            OwnedTrustAnchor::from_subject_spki_name_constraints(
-                ta.subject,
-                ta.spki,
-                ta.name_constraints,
-            )
-        }));
+        for cert in certs(&mut chain) {
+            client_root_cert_store.add(cert.unwrap()).unwrap();
+        }
 
         let cconfig = ClientConfig::builder()
             .with_safe_defaults()