diff --git a/Cargo.lock b/Cargo.lock
index 16636a75d8..a68ede5a51 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1931,7 +1931,7 @@ dependencies = [
  "paste",
  "percent-encoding",
  "proc-macro2",
- "rustls",
+ "rustls 0.21.9",
  "rustls-pemfile",
  "schemars",
  "serde",
@@ -3015,7 +3015,7 @@ dependencies = [
  "http",
  "hyper",
  "log",
- "rustls",
+ "rustls 0.21.9",
  "rustls-native-certs",
  "tokio",
  "tokio-rustls",
@@ -4106,7 +4106,7 @@ dependencies = [
  "rcgen",
  "ref-cast",
  "regex",
- "rustls",
+ "rustls 0.22.0",
  "samael",
  "serde",
  "serde_json",
@@ -4719,7 +4719,8 @@ dependencies = [
  "regex",
  "reqwest",
  "ring 0.16.20",
- "rustls",
+ "rustls 0.22.0",
+ "rustls-pki-types",
  "samael",
  "schemars",
  "semver 1.0.20",
@@ -4956,7 +4957,7 @@ dependencies = [
  "regex",
  "reqwest",
  "ring 0.16.20",
- "rustls",
+ "rustls-pki-types",
  "slog",
  "subprocess",
  "tar",
@@ -6652,7 +6653,7 @@ dependencies = [
  "once_cell",
  "percent-encoding",
  "pin-project-lite",
- "rustls",
+ "rustls 0.21.9",
  "rustls-pemfile",
  "serde",
  "serde_json",
@@ -6980,10 +6981,24 @@ checksum = "629648aced5775d558af50b2b4c7b02983a04b312126d45eeead26e7caa498b9"
 dependencies = [
  "log",
  "ring 0.17.5",
- "rustls-webpki",
+ "rustls-webpki 0.101.7",
  "sct",
 ]
 
+[[package]]
+name = "rustls"
+version = "0.22.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5bc238b76c51bbc449c55ffbc39d03772a057cc8cf783c49d4af4c2537b74a8b"
+dependencies = [
+ "log",
+ "ring 0.17.5",
+ "rustls-pki-types",
+ "rustls-webpki 0.102.0",
+ "subtle",
+ "zeroize",
+]
+
 [[package]]
 name = "rustls-native-certs"
 version = "0.6.3"
@@ -7005,6 +7020,12 @@ dependencies = [
  "base64 0.21.5",
 ]
 
+[[package]]
+name = "rustls-pki-types"
+version = "1.0.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e7673e0aa20ee4937c6aacfc12bb8341cfbf054cdd21df6bec5fd0629fe9339b"
+
 [[package]]
 name = "rustls-webpki"
 version = "0.101.7"
@@ -7015,6 +7036,17 @@ dependencies = [
  "untrusted 0.9.0",
 ]
 
+[[package]]
+name = "rustls-webpki"
+version = "0.102.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "de2635c8bc2b88d367767c5de8ea1d8db9af3f6219eba28442242d9ab81d1b89"
+dependencies = [
+ "ring 0.17.5",
+ "rustls-pki-types",
+ "untrusted 0.9.0",
+]
+
 [[package]]
 name = "rustversion"
 version = "1.0.14"
@@ -8614,7 +8646,7 @@ version = "0.24.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c28327cf380ac148141087fbfb9de9d7bd4e84ab5d2c28fbc911d753de8a7081"
 dependencies = [
- "rustls",
+ "rustls 0.21.9",
  "tokio",
 ]
 
diff --git a/Cargo.toml b/Cargo.toml
index c0935aec6f..4ed3e558f0 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -309,7 +309,8 @@ ring = "0.16"
 rpassword = "7.3.1"
 rstest = "0.18.2"
 rustfmt-wrapper = "0.2"
-rustls = "0.21.9"
+rustls = "0.22.0"
+rustls-pki-types = "1.0.1"
 samael = { git = "https://github.com/njaremko/samael", features = ["xmlsec"], branch = "master" }
 schemars = "0.8.12"
 secrecy = "0.8.0"
diff --git a/nexus/Cargo.toml b/nexus/Cargo.toml
index 704a7ab7bd..0cd22968f2 100644
--- a/nexus/Cargo.toml
+++ b/nexus/Cargo.toml
@@ -85,6 +85,7 @@ oximeter.workspace = true
 oximeter-instruments = { workspace = true, features = ["http-instruments"] }
 oximeter-producer.workspace = true
 rustls = { workspace = true }
+rustls-pki-types.workspace = true
 omicron-workspace-hack.workspace = true
 
 [dev-dependencies]
diff --git a/nexus/src/app/external_endpoints.rs b/nexus/src/app/external_endpoints.rs
index f95c64d3eb..bb5bbc8b75 100644
--- a/nexus/src/app/external_endpoints.rs
+++ b/nexus/src/app/external_endpoints.rs
@@ -47,6 +47,8 @@ use omicron_common::bail_unless;
 use openssl::pkey::PKey;
 use openssl::x509::X509;
 use rustls::sign::CertifiedKey;
+use rustls_pki_types::CertificateDer;
+use rustls_pki_types::PrivateKeyDer;
 use serde::Serialize;
 use serde_with::SerializeDisplay;
 use std::collections::btree_map::Entry;
@@ -432,16 +434,20 @@ impl TryFrom<Certificate> for TlsCertificate {
             let private_key_der = private_key
                 .private_key_to_der()
                 .context("serializing private key to DER")?;
-            let rustls_private_key = rustls::PrivateKey(private_key_der);
+            // XXX: Is PKCS#8 correct?
+            let rustls_private_key =
+                PrivateKeyDer::Pkcs8(private_key_der.into());
             let rustls_signing_key =
-                rustls::sign::any_supported_type(&rustls_private_key)
-                    .context("parsing DER private key")?;
+                rustls::crypto::ring::sign::any_supported_type(
+                    &rustls_private_key,
+                )
+                .context("parsing DER private key")?;
             let rustls_certs = certs_pem
                 .iter()
                 .map(|x509| {
                     x509.to_der()
                         .context("serializing cert to DER")
-                        .map(rustls::Certificate)
+                        .map(CertificateDer::from)
                 })
                 .collect::<Result<_, _>>()?;
             Arc::new(CertifiedKey::new(rustls_certs, rustls_signing_key))
@@ -563,6 +569,7 @@ pub(crate) async fn read_all_endpoints(
 /// session.
 ///
 /// See the module-level comment for more details.
+#[derive(Debug)]
 pub struct NexusCertResolver {
     log: slog::Logger,
     config_rx: watch::Receiver<Option<ExternalEndpoints>>,
diff --git a/nexus/src/app/mod.rs b/nexus/src/app/mod.rs
index d4c2d596f8..3a69050e9a 100644
--- a/nexus/src/app/mod.rs
+++ b/nexus/src/app/mod.rs
@@ -509,11 +509,10 @@ impl Nexus {
             return None;
         }
 
+        // This used to specify safe default cipher suites, kx groups, and
+        // protocol versions, but starting rustls 0.22 the safe defaults are
+        // implicit.
         let mut rustls_cfg = rustls::ServerConfig::builder()
-            .with_safe_default_cipher_suites()
-            .with_safe_default_kx_groups()
-            .with_safe_default_protocol_versions()
-            .unwrap()
             .with_no_client_auth()
             .with_cert_resolver(Arc::new(NexusCertResolver::new(
                 self.log.new(o!("component" => "NexusCertResolver")),
diff --git a/test-utils/Cargo.toml b/test-utils/Cargo.toml
index 7f210134a2..66d7b98547 100644
--- a/test-utils/Cargo.toml
+++ b/test-utils/Cargo.toml
@@ -18,7 +18,7 @@ libc.workspace = true
 omicron-common.workspace = true
 pem.workspace = true
 ring.workspace = true
-rustls.workspace = true
+rustls-pki-types.workspace = true
 slog.workspace = true
 subprocess.workspace = true
 tempfile.workspace = true
diff --git a/test-utils/src/certificates.rs b/test-utils/src/certificates.rs
index ab84f30b15..760ed5b819 100644
--- a/test-utils/src/certificates.rs
+++ b/test-utils/src/certificates.rs
@@ -4,11 +4,13 @@
 
 //! Utilities for tests that need certificates.
 
+use rustls_pki_types::CertificateDer;
+
 // Utility structure for making a test certificate
 pub struct CertificateChain {
-    root_cert: rustls::Certificate,
-    intermediate_cert: rustls::Certificate,
-    end_cert: rustls::Certificate,
+    root_cert: CertificateDer<'static>,
+    intermediate_cert: CertificateDer<'static>,
+    end_cert: CertificateDer<'static>,
     end_keypair: rcgen::Certificate,
 }
 
@@ -36,17 +38,17 @@ impl CertificateChain {
         let end_keypair = rcgen::Certificate::from_params(params)
             .expect("failed to generate end-entity keys");
 
-        let root_cert = rustls::Certificate(
+        let root_cert = CertificateDer::from(
             root_keypair
                 .serialize_der()
                 .expect("failed to serialize root cert"),
         );
-        let intermediate_cert = rustls::Certificate(
+        let intermediate_cert = CertificateDer::from(
             intermediate_keypair
                 .serialize_der_with_signer(&root_keypair)
                 .expect("failed to serialize intermediate cert"),
         );
-        let end_cert = rustls::Certificate(
+        let end_cert = CertificateDer::from(
             end_keypair
                 .serialize_der_with_signer(&intermediate_keypair)
                 .expect("failed to serialize end-entity cert"),
@@ -63,7 +65,7 @@ impl CertificateChain {
         self.end_keypair.serialize_private_key_pem()
     }
 
-    fn cert_chain(&self) -> Vec<rustls::Certificate> {
+    fn cert_chain(&self) -> Vec<CertificateDer> {
         vec![
             self.end_cert.clone(),
             self.intermediate_cert.clone(),
@@ -76,12 +78,12 @@ impl CertificateChain {
     }
 }
 
-fn tls_cert_to_pem(certs: &Vec<rustls::Certificate>) -> String {
+fn tls_cert_to_pem(certs: &Vec<CertificateDer>) -> String {
     let mut serialized_certs = String::new();
     for cert in certs {
         let encoded_cert = pem::encode(&pem::Pem {
             tag: "CERTIFICATE".to_string(),
-            contents: cert.0.clone(),
+            contents: cert.as_ref().to_owned(),
         });
 
         serialized_certs.push_str(&encoded_cert);