diff --git a/Cargo.lock b/Cargo.lock
index a2d4fb84..2ed65d43 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -105,6 +105,7 @@ checksum = "5c953fe1ba023e6b7730c0d4b031d06f267f23a46167dcbd40316644b10a17ba"
 dependencies = [
  "aws-lc-fips-sys",
  "aws-lc-sys",
+ "untrusted 0.7.1",
  "zeroize",
 ]
 
@@ -778,7 +779,7 @@ dependencies = [
  "cfg-if",
  "getrandom 0.2.16",
  "libc",
- "untrusted",
+ "untrusted 0.9.0",
  "windows-sys 0.52.0",
 ]
 
@@ -856,7 +857,7 @@ dependencies = [
  "aws-lc-rs",
  "ring",
  "rustls-pki-types",
- "untrusted",
+ "untrusted 0.9.0",
 ]
 
 [[package]]
@@ -992,6 +993,12 @@ version = "1.0.18"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "5a5f39404a5da50712a4c1eecf25e90dd62b613502b7e925fd4e4d19b5c96512"
 
+[[package]]
+name = "untrusted"
+version = "0.7.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a156c684c91ea7d62626509bce3cb4e1d9ed5c4d978f7b4352658f96a4c26b4a"
+
 [[package]]
 name = "untrusted"
 version = "0.9.0"
@@ -1238,6 +1245,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "eb3e137310115a65136898d2079f003ce33331a6c4b0d51f1531d1be082b6425"
 dependencies = [
  "asn1-rs",
+ "aws-lc-rs",
  "data-encoding",
  "der-parser",
  "lazy_static",
diff --git a/rcgen/Cargo.toml b/rcgen/Cargo.toml
index 0e52f9aa..dbd70cc2 100644
--- a/rcgen/Cargo.toml
+++ b/rcgen/Cargo.toml
@@ -12,11 +12,11 @@ keywords.workspace = true
 
 [features]
 default = ["crypto", "pem", "ring"]
-aws_lc_rs = ["crypto", "dep:aws-lc-rs", "aws-lc-rs/aws-lc-sys"]
+aws_lc_rs = ["crypto", "dep:aws-lc-rs", "aws-lc-rs/aws-lc-sys", "x509-parser?/verify-aws"]
 aws_lc_rs_unstable = ["aws_lc_rs", "aws-lc-rs/unstable"]
-fips = ["crypto", "dep:aws-lc-rs", "aws-lc-rs/fips"]
+fips = ["crypto", "dep:aws-lc-rs", "aws-lc-rs/fips", "x509-parser?/verify-aws"]
 crypto = []
-ring = ["crypto", "dep:ring"]
+ring = ["crypto", "dep:ring", "x509-parser?/verify"]
 
 [dependencies]
 aws-lc-rs = { workspace = true, optional = true }
@@ -24,7 +24,7 @@ pem = { workspace = true, optional = true }
 pki-types = { workspace = true }
 ring = { workspace = true, optional = true }
 time = { workspace = true }
-x509-parser = { workspace = true, features = ["verify"], optional = true }
+x509-parser = { workspace = true, optional = true }
 yasna = { workspace = true }
 zeroize = { workspace = true, optional = true }
 
diff --git a/rcgen/src/csr.rs b/rcgen/src/csr.rs
index c6cb4147..8da0d2ac 100644
--- a/rcgen/src/csr.rs
+++ b/rcgen/src/csr.rs
@@ -94,7 +94,7 @@ impl CertificateSigningRequestParams {
 	/// into [`CertificateSigningRequestDer`] using the [`Into`] trait.
 	///
 	/// [`rustls_pemfile::csr()`]: https://docs.rs/rustls-pemfile/latest/rustls_pemfile/fn.csr.html
-	#[cfg(feature = "x509-parser")]
+	#[cfg(all(feature = "x509-parser", feature = "crypto"))]
 	pub fn from_der(csr: &CertificateSigningRequestDer<'_>) -> Result<Self, Error> {
 		use crate::KeyUsagePurpose;
 		use x509_parser::prelude::FromDer;
diff --git a/rustls-cert-gen/Cargo.toml b/rustls-cert-gen/Cargo.toml
index 28f7c300..ea043735 100644
--- a/rustls-cert-gen/Cargo.toml
+++ b/rustls-cert-gen/Cargo.toml
@@ -12,10 +12,10 @@ keywords.workspace = true
 
 [features]
 default = ["ring"]
-aws_lc_rs = ["dep:aws-lc-rs", "rcgen/aws_lc_rs", "aws-lc-rs/aws-lc-sys"]
+aws_lc_rs = ["dep:aws-lc-rs", "rcgen/aws_lc_rs", "aws-lc-rs/aws-lc-sys", "x509-parser/verify-aws"]
 aws_lc_rs_unstable = ["rcgen/aws_lc_rs_unstable"]
-fips = ["dep:aws-lc-rs", "rcgen/aws_lc_rs", "aws-lc-rs/fips"]
-ring = ["dep:ring", "rcgen/ring"]
+fips = ["dep:aws-lc-rs", "rcgen/aws_lc_rs", "aws-lc-rs/fips", "x509-parser/verify-aws"]
+ring = ["dep:ring", "rcgen/ring", "x509-parser/verify"]
 
 [dependencies]
 anyhow = { workspace = true }
@@ -28,4 +28,4 @@ ring = { workspace = true, optional = true }
 
 [dev-dependencies]
 assert_fs = { workspace = true }
-x509-parser = { workspace = true, features = ["verify"] }
+x509-parser = { workspace = true }