diff --git a/actix-http/Cargo.toml b/actix-http/Cargo.toml
index efd20905a..c00c2ee04 100644
--- a/actix-http/Cargo.toml
+++ b/actix-http/Cargo.toml
@@ -135,7 +135,7 @@ env_logger = "0.11"
 futures-util = { version = "0.3.17", default-features = false, features = ["alloc"] }
 memchr = "2.4"
 once_cell = "1.9"
-rcgen = "0.12"
+rcgen = "0.13"
 regex = "1.3"
 rustversion = "1"
 rustls-pemfile = "2"
diff --git a/actix-http/examples/tls_rustls.rs b/actix-http/examples/tls_rustls.rs
index 3e273d79c..17303c556 100644
--- a/actix-http/examples/tls_rustls.rs
+++ b/actix-http/examples/tls_rustls.rs
@@ -43,9 +43,10 @@ async fn main() -> io::Result<()> {
 }
 
 fn rustls_config() -> rustls::ServerConfig {
-    let cert = rcgen::generate_simple_self_signed(vec!["localhost".to_owned()]).unwrap();
-    let cert_file = cert.serialize_pem().unwrap();
-    let key_file = cert.serialize_private_key_pem();
+    let rcgen::CertifiedKey { cert, key_pair } =
+        rcgen::generate_simple_self_signed(["localhost".to_owned()]).unwrap();
+    let cert_file = cert.pem();
+    let key_file = key_pair.serialize_pem();
 
     let cert_file = &mut io::BufReader::new(cert_file.as_bytes());
     let key_file = &mut io::BufReader::new(key_file.as_bytes());
diff --git a/actix-http/examples/ws.rs b/actix-http/examples/ws.rs
index fac6b136b..fb86bc5ea 100644
--- a/actix-http/examples/ws.rs
+++ b/actix-http/examples/ws.rs
@@ -87,9 +87,10 @@ fn tls_config() -> rustls::ServerConfig {
 
     use rustls_pemfile::{certs, pkcs8_private_keys};
 
-    let cert = rcgen::generate_simple_self_signed(vec!["localhost".to_owned()]).unwrap();
-    let cert_file = cert.serialize_pem().unwrap();
-    let key_file = cert.serialize_private_key_pem();
+    let rcgen::CertifiedKey { cert, key_pair } =
+        rcgen::generate_simple_self_signed(["localhost".to_owned()]).unwrap();
+    let cert_file = cert.pem();
+    let key_file = key_pair.serialize_pem();
 
     let cert_file = &mut BufReader::new(cert_file.as_bytes());
     let key_file = &mut BufReader::new(key_file.as_bytes());
diff --git a/actix-http/tests/test_openssl.rs b/actix-http/tests/test_openssl.rs
index cb16a4fec..4dd22b585 100644
--- a/actix-http/tests/test_openssl.rs
+++ b/actix-http/tests/test_openssl.rs
@@ -42,9 +42,11 @@ where
 }
 
 fn tls_config() -> SslAcceptor {
-    let cert = rcgen::generate_simple_self_signed(vec!["localhost".to_owned()]).unwrap();
-    let cert_file = cert.serialize_pem().unwrap();
-    let key_file = cert.serialize_private_key_pem();
+    let rcgen::CertifiedKey { cert, key_pair } =
+        rcgen::generate_simple_self_signed(["localhost".to_owned()]).unwrap();
+    let cert_file = cert.pem();
+    let key_file = key_pair.serialize_pem();
+
     let cert = X509::from_pem(cert_file.as_bytes()).unwrap();
     let key = PKey::private_key_from_pem(key_file.as_bytes()).unwrap();
 
diff --git a/actix-http/tests/test_rustls.rs b/actix-http/tests/test_rustls.rs
index fd2064d56..3ca0d94c2 100644
--- a/actix-http/tests/test_rustls.rs
+++ b/actix-http/tests/test_rustls.rs
@@ -52,9 +52,10 @@ where
 }
 
 fn tls_config() -> RustlsServerConfig {
-    let cert = rcgen::generate_simple_self_signed(vec!["localhost".to_owned()]).unwrap();
-    let cert_file = cert.serialize_pem().unwrap();
-    let key_file = cert.serialize_private_key_pem();
+    let rcgen::CertifiedKey { cert, key_pair } =
+        rcgen::generate_simple_self_signed(["localhost".to_owned()]).unwrap();
+    let cert_file = cert.pem();
+    let key_file = key_pair.serialize_pem();
 
     let cert_file = &mut BufReader::new(cert_file.as_bytes());
     let key_file = &mut BufReader::new(key_file.as_bytes());
diff --git a/actix-web/Cargo.toml b/actix-web/Cargo.toml
index cd09c3054..bd24ea35f 100644
--- a/actix-web/Cargo.toml
+++ b/actix-web/Cargo.toml
@@ -135,7 +135,7 @@ env_logger = "0.11"
 flate2 = "1.0.13"
 futures-util = { version = "0.3.17", default-features = false, features = ["std"] }
 rand = "0.8"
-rcgen = "0.12"
+rcgen = "0.13"
 rustls-pemfile = "2"
 serde = { version = "1.0", features = ["derive"] }
 static_assertions = "1"
diff --git a/actix-web/tests/test_httpserver.rs b/actix-web/tests/test_httpserver.rs
index 86e0575f3..039c0ffbc 100644
--- a/actix-web/tests/test_httpserver.rs
+++ b/actix-web/tests/test_httpserver.rs
@@ -64,9 +64,11 @@ fn ssl_acceptor() -> openssl::ssl::SslAcceptorBuilder {
         x509::X509,
     };
 
-    let cert = rcgen::generate_simple_self_signed(vec!["localhost".to_owned()]).unwrap();
-    let cert_file = cert.serialize_pem().unwrap();
-    let key_file = cert.serialize_private_key_pem();
+    let rcgen::CertifiedKey { cert, key_pair } =
+        rcgen::generate_simple_self_signed(["localhost".to_owned()]).unwrap();
+    let cert_file = cert.pem();
+    let key_file = key_pair.serialize_pem();
+
     let cert = X509::from_pem(cert_file.as_bytes()).unwrap();
     let key = PKey::private_key_from_pem(key_file.as_bytes()).unwrap();
 
diff --git a/actix-web/tests/test_server.rs b/actix-web/tests/test_server.rs
index 60d282351..960cf1e2b 100644
--- a/actix-web/tests/test_server.rs
+++ b/actix-web/tests/test_server.rs
@@ -34,9 +34,11 @@ const STR: &str = const_str::repeat!(S, 100);
 
 #[cfg(feature = "openssl")]
 fn openssl_config() -> SslAcceptor {
-    let cert = rcgen::generate_simple_self_signed(vec!["localhost".to_owned()]).unwrap();
-    let cert_file = cert.serialize_pem().unwrap();
-    let key_file = cert.serialize_private_key_pem();
+    let rcgen::CertifiedKey { cert, key_pair } =
+        rcgen::generate_simple_self_signed(["localhost".to_owned()]).unwrap();
+    let cert_file = cert.pem();
+    let key_file = key_pair.serialize_pem();
+
     let cert = X509::from_pem(cert_file.as_bytes()).unwrap();
     let key = PKey::private_key_from_pem(key_file.as_bytes()).unwrap();
 
@@ -714,9 +716,10 @@ mod plus_rustls {
     use super::*;
 
     fn tls_config() -> RustlsServerConfig {
-        let cert = rcgen::generate_simple_self_signed(vec!["localhost".to_owned()]).unwrap();
-        let cert_file = cert.serialize_pem().unwrap();
-        let key_file = cert.serialize_private_key_pem();
+        let rcgen::CertifiedKey { cert, key_pair } =
+            rcgen::generate_simple_self_signed(["localhost".to_owned()]).unwrap();
+        let cert_file = cert.pem();
+        let key_file = key_pair.serialize_pem();
 
         let cert_file = &mut BufReader::new(cert_file.as_bytes());
         let key_file = &mut BufReader::new(key_file.as_bytes());
diff --git a/awc/Cargo.toml b/awc/Cargo.toml
index 2ba8ada31..b1ee62361 100644
--- a/awc/Cargo.toml
+++ b/awc/Cargo.toml
@@ -130,7 +130,7 @@ env_logger = "0.11"
 flate2 = "1.0.13"
 futures-util = { version = "0.3.17", default-features = false }
 static_assertions = "1.1"
-rcgen = "0.12"
+rcgen = "0.13"
 rustls-pemfile = "2"
 tokio = { version = "1.24.2", features = ["rt-multi-thread", "macros"] }
 zstd = "0.13"
diff --git a/awc/tests/test_connector.rs b/awc/tests/test_connector.rs
index b3eb97367..a8b7e98c1 100644
--- a/awc/tests/test_connector.rs
+++ b/awc/tests/test_connector.rs
@@ -13,9 +13,11 @@ use openssl::{
 };
 
 fn tls_config() -> SslAcceptor {
-    let cert = rcgen::generate_simple_self_signed(vec!["localhost".to_owned()]).unwrap();
-    let cert_file = cert.serialize_pem().unwrap();
-    let key_file = cert.serialize_private_key_pem();
+    let rcgen::CertifiedKey { cert, key_pair } =
+        rcgen::generate_simple_self_signed(["localhost".to_owned()]).unwrap();
+    let cert_file = cert.pem();
+    let key_file = key_pair.serialize_pem();
+
     let cert = X509::from_pem(cert_file.as_bytes()).unwrap();
     let key = PKey::private_key_from_pem(key_file.as_bytes()).unwrap();
 
diff --git a/awc/tests/test_rustls_client.rs b/awc/tests/test_rustls_client.rs
index 719d25119..7e832f67d 100644
--- a/awc/tests/test_rustls_client.rs
+++ b/awc/tests/test_rustls_client.rs
@@ -23,9 +23,10 @@ use rustls::{
 use rustls_pemfile::{certs, pkcs8_private_keys};
 
 fn tls_config() -> ServerConfig {
-    let cert = rcgen::generate_simple_self_signed(vec!["localhost".to_owned()]).unwrap();
-    let cert_file = cert.serialize_pem().unwrap();
-    let key_file = cert.serialize_private_key_pem();
+    let rcgen::CertifiedKey { cert, key_pair } =
+        rcgen::generate_simple_self_signed(["localhost".to_owned()]).unwrap();
+    let cert_file = cert.pem();
+    let key_file = key_pair.serialize_pem();
 
     let cert_file = &mut BufReader::new(cert_file.as_bytes());
     let key_file = &mut BufReader::new(key_file.as_bytes());
diff --git a/awc/tests/test_ssl_client.rs b/awc/tests/test_ssl_client.rs
index 5273c3fff..95d4c15f1 100644
--- a/awc/tests/test_ssl_client.rs
+++ b/awc/tests/test_ssl_client.rs
@@ -19,9 +19,11 @@ use openssl::{
 };
 
 fn tls_config() -> SslAcceptor {
-    let cert = rcgen::generate_simple_self_signed(vec!["localhost".to_owned()]).unwrap();
-    let cert_file = cert.serialize_pem().unwrap();
-    let key_file = cert.serialize_private_key_pem();
+    let rcgen::CertifiedKey { cert, key_pair } =
+        rcgen::generate_simple_self_signed(["localhost".to_owned()]).unwrap();
+    let cert_file = cert.pem();
+    let key_file = key_pair.serialize_pem();
+
     let cert = X509::from_pem(cert_file.as_bytes()).unwrap();
     let key = PKey::private_key_from_pem(key_file.as_bytes()).unwrap();