diff --git a/Cargo.lock b/Cargo.lock
index 2410a9441b..f9844349e7 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1802,7 +1802,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "fc2f4eb4bc735547cfed7c0a4922cbd04a4655978c09b54f1f7b228750664c34"
 dependencies = [
  "cfg-if",
- "windows-targets 0.48.5",
+ "windows-targets 0.52.6",
 ]
 
 [[package]]
@@ -2777,6 +2777,21 @@ dependencies = [
  "yasna",
 ]
 
+[[package]]
+name = "rcgen"
+version = "0.14.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "49bc8ffa8a832eb1d7c8000337f8b0d2f4f2f5ec3cf4ddc26f125e3ad2451824"
+dependencies = [
+ "aws-lc-rs",
+ "pem",
+ "ring",
+ "rustls-pki-types",
+ "time",
+ "x509-parser",
+ "yasna",
+]
+
 [[package]]
 name = "redox_syscall"
 version = "0.5.11"
@@ -4455,7 +4470,8 @@ dependencies = [
  "prost-build",
  "prost-types",
  "rand 0.9.0",
- "rcgen",
+ "rcgen 0.13.3",
+ "rcgen 0.14.2",
  "ring",
  "rustc_version",
  "rustls",
diff --git a/Cargo.toml b/Cargo.toml
index 8a5ec78aa4..c35d6544ce 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -80,7 +80,7 @@ prometheus-parse = "0.2"
 prost = "0.13"
 prost-types = "0.13"
 rand = { version = "0.9" , features = ["small_rng"]}
-rcgen = { version = "0.13", optional = true, features = ["pem"] }
+rcgen = { version = "0.14", optional = true, features = ["pem"] }
 rustls = { version = "0.23", default-features = false }
 rustls-native-certs = "0.8"
 rustls-pemfile = "2.2"
diff --git a/fuzz/Cargo.lock b/fuzz/Cargo.lock
index 301b06b1ef..646583b285 100644
--- a/fuzz/Cargo.lock
+++ b/fuzz/Cargo.lock
@@ -2359,9 +2359,9 @@ dependencies = [
 
 [[package]]
 name = "rcgen"
-version = "0.13.2"
+version = "0.14.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "75e669e5202259b5314d1ea5397316ad400819437857b90861765f24c4cf80a2"
+checksum = "49bc8ffa8a832eb1d7c8000337f8b0d2f4f2f5ec3cf4ddc26f125e3ad2451824"
 dependencies = [
  "aws-lc-rs",
  "pem",
diff --git a/src/tls/certificate.rs b/src/tls/certificate.rs
index 551058ea2c..85667b80bb 100644
--- a/src/tls/certificate.rs
+++ b/src/tls/certificate.rs
@@ -428,7 +428,6 @@ mod test {
             SystemTime::now() + Duration::from_secs(60),
             None,
             TEST_ROOT_KEY,
-            TEST_ROOT,
         );
         let cert1 =
             WorkloadCertificate::new(key.as_bytes(), cert.as_bytes(), vec![&joined]).unwrap();
@@ -440,7 +439,6 @@ mod test {
             SystemTime::now() + Duration::from_secs(60),
             None,
             TEST_ROOT2_KEY,
-            TEST_ROOT2,
         );
         let cert2 =
             WorkloadCertificate::new(key.as_bytes(), cert.as_bytes(), vec![&joined]).unwrap();
diff --git a/src/tls/mock.rs b/src/tls/mock.rs
index b5c6112164..16a663336c 100644
--- a/src/tls/mock.rs
+++ b/src/tls/mock.rs
@@ -18,7 +18,6 @@ use std::fmt::{Display, Formatter};
 use rand::RngCore;
 use rand::SeedableRng;
 use rand::rngs::SmallRng;
-use rcgen::{Certificate, CertificateParams, KeyPair};
 use std::net::IpAddr;
 use std::sync::Arc;
 use std::time::{Duration, SystemTime};
@@ -105,8 +104,7 @@ pub fn generate_test_certs_at(
     not_after: SystemTime,
     rng: Option<&mut dyn rand::RngCore>,
 ) -> WorkloadCertificate {
-    let (key, cert) =
-        generate_test_certs_with_root(id, not_before, not_after, rng, TEST_ROOT_KEY, TEST_ROOT);
+    let (key, cert) = generate_test_certs_with_root(id, not_before, not_after, rng, TEST_ROOT_KEY);
     let mut workload =
         WorkloadCertificate::new(key.as_bytes(), cert.as_bytes(), vec![TEST_ROOT]).unwrap();
     // Certificates do not allow sub-millisecond, but we need this for tests.
@@ -121,7 +119,6 @@ pub fn generate_test_certs_with_root(
     not_after: SystemTime,
     rng: Option<&mut dyn rand::RngCore>,
     ca_key: &[u8],
-    ca_cert: &[u8],
 ) -> (String, String) {
     use rcgen::*;
     let serial_number = {
@@ -150,15 +147,17 @@ pub fn generate_test_certs_with_root(
         ExtendedKeyUsagePurpose::ClientAuth,
     ];
     p.subject_alt_names = vec![match id {
-        TestIdentity::Identity(i) => SanType::URI(Ia5String::try_from(i.to_string()).unwrap()),
+        TestIdentity::Identity(i) => {
+            SanType::URI(string::Ia5String::try_from(i.to_string()).unwrap())
+        }
         TestIdentity::Ip(i) => SanType::IpAddress(*i),
     }];
 
     let kp = KeyPair::from_pem(std::str::from_utf8(TEST_PKEY).unwrap()).unwrap();
     let ca_kp = KeyPair::from_pem(std::str::from_utf8(ca_key).unwrap()).unwrap();
     let key = kp.serialize_pem();
-    let ca = test_ca(ca_key, ca_cert);
-    let cert = p.signed_by(&kp, &ca, &ca_kp).unwrap();
+    let issuer = Issuer::from_params(&p, &ca_kp);
+    let cert = p.signed_by(&kp, &issuer).unwrap();
     let cert = cert.pem();
     (key, cert)
 }
@@ -172,12 +171,6 @@ pub fn generate_test_certs(
     generate_test_certs_at(id, not_before, not_before + duration_until_expiry, None)
 }
 
-fn test_ca(key: &[u8], cert: &[u8]) -> Certificate {
-    let key = KeyPair::from_pem(std::str::from_utf8(key).unwrap()).unwrap();
-    let ca_param = CertificateParams::from_ca_cert_pem(std::str::from_utf8(cert).unwrap()).unwrap();
-    ca_param.self_signed(&key).unwrap()
-}
-
 #[derive(Debug, Clone)]
 pub struct MockServerCertProvider(Arc<WorkloadCertificate>);