diff --git a/tonic/Cargo.toml b/tonic/Cargo.toml
index 8c693baab..5c91b4d13 100644
--- a/tonic/Cargo.toml
+++ b/tonic/Cargo.toml
@@ -27,7 +27,7 @@ codegen = ["dep:async-trait"]
 gzip = ["dep:flate2"]
 default = ["transport", "codegen", "prost"]
 prost = ["dep:prost"]
-tls = ["dep:rustls-pemfile", "transport", "dep:tokio-rustls", "dep:rustls", "tokio/rt", "tokio/macros"]
+tls = ["dep:rustls-pemfile", "transport", "dep:tokio-rustls", "tokio/rt", "tokio/macros"]
 tls-roots = ["tls-roots-common", "dep:rustls-native-certs"]
 tls-roots-common = ["tls"]
 tls-webpki-roots = ["tls-roots-common", "dep:webpki-roots"]
@@ -78,9 +78,8 @@ axum = {version = "0.6.9", default_features = false, optional = true}
 # rustls
 async-stream = { version = "0.3", optional = true }
 rustls-pemfile = { version = "1.0", optional = true }
-rustls-native-certs = { version = "0.6.1", optional = true }
+rustls-native-certs = { version = "0.6.3", optional = true }
 tokio-rustls = { version = "0.24", optional = true }
-rustls = { version = "0.21.6", optional = true }
 webpki-roots = { version = "0.25.0", optional = true }
 
 # compression
diff --git a/tonic/src/transport/service/tls.rs b/tonic/src/transport/service/tls.rs
index 14796b4b5..f956132fb 100644
--- a/tonic/src/transport/service/tls.rs
+++ b/tonic/src/transport/service/tls.rs
@@ -3,8 +3,6 @@ use crate::transport::{
     server::{Connected, TlsStream},
     Certificate, Identity,
 };
-#[cfg(feature = "tls-roots")]
-use rustls_native_certs;
 use std::{fmt, sync::Arc};
 use tokio::io::{AsyncRead, AsyncWrite};
 use tokio_rustls::{
@@ -38,30 +36,19 @@ impl TlsConnector {
         let mut roots = RootCertStore::empty();
 
         #[cfg(feature = "tls-roots")]
-        {
-            match rustls_native_certs::load_native_certs() {
-                Ok(certs) => roots.add_parsable_certificates(
-                    &certs.into_iter().map(|cert| cert.0).collect::<Vec<_>>(),
-                ),
-                Err(error) => return Err(error.into()),
-            };
-        }
+        roots.add_parsable_certificates(&rustls_native_certs::load_native_certs()?);
 
         #[cfg(feature = "tls-webpki-roots")]
-        {
-            use tokio_rustls::rustls::OwnedTrustAnchor;
-
-            roots.add_trust_anchors(webpki_roots::TLS_SERVER_ROOTS.iter().map(|ta| {
-                OwnedTrustAnchor::from_subject_spki_name_constraints(
-                    ta.subject,
-                    ta.spki,
-                    ta.name_constraints,
-                )
-            }));
-        }
+        roots.add_trust_anchors(webpki_roots::TLS_SERVER_ROOTS.iter().map(|ta| {
+            tokio_rustls::rustls::OwnedTrustAnchor::from_subject_spki_name_constraints(
+                ta.subject,
+                ta.spki,
+                ta.name_constraints,
+            )
+        }));
 
         if let Some(cert) = ca_cert {
-            rustls_keys::add_certs_from_pem(std::io::Cursor::new(&cert.pem[..]), &mut roots)?;
+            rustls_keys::add_certs_from_pem(std::io::Cursor::new(cert.as_ref()), &mut roots)?;
         }
 
         let builder = builder.with_root_certificates(roots);
@@ -127,7 +114,7 @@ impl TlsAcceptor {
             (Some(cert), true) => {
                 use tokio_rustls::rustls::server::AllowAnyAnonymousOrAuthenticatedClient;
                 let mut roots = RootCertStore::empty();
-                rustls_keys::add_certs_from_pem(std::io::Cursor::new(&cert.pem[..]), &mut roots)?;
+                rustls_keys::add_certs_from_pem(std::io::Cursor::new(cert.as_ref()), &mut roots)?;
                 builder.with_client_cert_verifier(
                     AllowAnyAnonymousOrAuthenticatedClient::new(roots).boxed(),
                 )
@@ -135,7 +122,7 @@ impl TlsAcceptor {
             (Some(cert), false) => {
                 use tokio_rustls::rustls::server::AllowAnyAuthenticatedClient;
                 let mut roots = RootCertStore::empty();
-                rustls_keys::add_certs_from_pem(std::io::Cursor::new(&cert.pem[..]), &mut roots)?;
+                rustls_keys::add_certs_from_pem(std::io::Cursor::new(cert.as_ref()), &mut roots)?;
                 builder.with_client_cert_verifier(AllowAnyAuthenticatedClient::new(roots).boxed())
             }
         };
@@ -207,7 +194,7 @@ mod rustls_keys {
         identity: Identity,
     ) -> Result<(Vec<Certificate>, PrivateKey), crate::Error> {
         let cert = {
-            let mut cert = std::io::Cursor::new(&identity.cert.pem[..]);
+            let mut cert = std::io::Cursor::new(identity.cert.as_ref());
             match rustls_pemfile::certs(&mut cert) {
                 Ok(certs) => certs.into_iter().map(Certificate).collect(),
                 Err(_) => return Err(Box::new(TlsError::CertificateParseError)),
@@ -215,7 +202,7 @@ mod rustls_keys {
         };
 
         let key = {
-            let key = std::io::Cursor::new(&identity.key[..]);
+            let key = std::io::Cursor::new(identity.key.as_ref());
             match load_rustls_private_key(key) {
                 Ok(key) => key,
                 Err(e) => {