diff --git a/.deny.toml b/.deny.toml
index 7cdf0cf99..6d060caf7 100644
--- a/.deny.toml
+++ b/.deny.toml
@@ -7,6 +7,8 @@ db-urls = ["https://github.com/rustsec/advisory-db"]
 ignore = [
   # burn depends on an unmaintained package 'paste'
   "RUSTSEC-2024-0436",
+  # removing rustls-pemfile requires an update to our linkcheck fork
+  "RUSTSEC-2025-0134",
 ]
 
 [licenses]
diff --git a/Cargo.lock b/Cargo.lock
index e9c74f6ea..abfa9b72e 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -133,9 +133,9 @@ dependencies = [
  "rand 0.9.2",
  "rayon",
  "regex",
- "reqwest 0.12.23",
+ "reqwest 0.12.28",
  "rusqlite",
- "rustls-pemfile 2.2.0",
+ "rustls-pki-types",
  "scopeguard",
  "serde",
  "serde-aux",
@@ -3672,7 +3672,7 @@ dependencies = [
  "itertools 0.14.0",
  "linkcheck",
  "regex",
- "reqwest 0.12.23",
+ "reqwest 0.12.28",
  "strum 0.27.2",
  "tokio",
 ]
@@ -4136,7 +4136,7 @@ dependencies = [
  "maplit",
  "num_cpus",
  "regex",
- "reqwest 0.12.23",
+ "reqwest 0.12.28",
  "serde_json",
  "sha2",
  "walkdir",
@@ -5408,7 +5408,7 @@ dependencies = [
  "once_cell",
  "percent-encoding",
  "pin-project-lite",
- "rustls-pemfile 1.0.4",
+ "rustls-pemfile",
  "serde",
  "serde_json",
  "serde_urlencoded",
@@ -5426,9 +5426,9 @@ dependencies = [
 
 [[package]]
 name = "reqwest"
-version = "0.12.23"
+version = "0.12.28"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d429f34c8092b2d42c7c93cec323bb4adeb7c67698f70839adec842ec10c7ceb"
+checksum = "eddd3ca559203180a307f12d114c268abf583f59b03cb906fd0b3ff8646c1147"
 dependencies = [
  "base64 0.22.1",
  "bytes",
@@ -5556,7 +5556,7 @@ dependencies = [
  "clap",
  "flate2",
  "junction",
- "reqwest 0.12.23",
+ "reqwest 0.12.28",
  "sha2",
  "tar",
  "termcolor",
@@ -5656,20 +5656,11 @@ dependencies = [
  "base64 0.21.7",
 ]
 
-[[package]]
-name = "rustls-pemfile"
-version = "2.2.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "dce314e5fee3f39953d46bb63bb8a46d40c2f8fb7cc5a3b6cab2bde9721d6e50"
-dependencies = [
- "rustls-pki-types",
-]
-
 [[package]]
 name = "rustls-pki-types"
-version = "1.12.0"
+version = "1.13.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "229a4a4c221013e7e1f1a043678c5cc39fe5171437c88fb47151a21e6f5b5c79"
+checksum = "21e6f2ab2928ca4291b86736a8bd920a277a399bba1589409d72154ff87c1282"
 dependencies = [
  "web-time",
  "zeroize",
@@ -6667,9 +6658,9 @@ dependencies = [
 
 [[package]]
 name = "tower-http"
-version = "0.6.6"
+version = "0.6.8"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "adc82fd73de2a9722ac5da747f12383d2bfdb93591ee6c58486e0097890f05f2"
+checksum = "d4e6559d53cc268e5031cd8429d05415bc4cb4aefc4aa5d6cc35fbf5b924a1f8"
 dependencies = [
  "bitflags 2.9.3",
  "bytes",
diff --git a/Cargo.toml b/Cargo.toml
index fe7f5acd5..10a1f0246 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -112,9 +112,9 @@ pyo3 = { version = "0.25.1", features = ["extension-module", "abi3", "abi3-py39"
 rand = "0.9.1"
 rayon = "1.10.0"
 regex = "1.11.1"
-reqwest = { version = "0.12.20", default-features = false, features = ["json", "socks", "stream", "multipart"] }
+reqwest = { version = "0.12.28", default-features = false, features = ["json", "socks", "stream", "multipart"] }
 rusqlite = { version = "0.36.0", features = ["trace", "functions", "collation", "bundled"] }
-rustls-pemfile = "2.2.0"
+rustls-pki-types = "1.13.2"
 scopeguard = "1.2.0"
 serde = { version = "1.0.219", features = ["derive"] }
 serde-aux = "4.7.0"
diff --git a/rslib/Cargo.toml b/rslib/Cargo.toml
index 9be9e8d87..a79fd5d50 100644
--- a/rslib/Cargo.toml
+++ b/rslib/Cargo.toml
@@ -85,7 +85,7 @@ rayon.workspace = true
 regex.workspace = true
 reqwest.workspace = true
 rusqlite.workspace = true
-rustls-pemfile.workspace = true
+rustls-pki-types.workspace = true
 scopeguard.workspace = true
 serde.workspace = true
 serde-aux.workspace = true
diff --git a/rslib/src/backend/mod.rs b/rslib/src/backend/mod.rs
index d15652675..aeab79e52 100644
--- a/rslib/src/backend/mod.rs
+++ b/rslib/src/backend/mod.rs
@@ -152,7 +152,7 @@ impl Backend {
             return Ok(());
         }
 
-        if rustls_pemfile::read_all(Cursor::new(cert_str.as_bytes()).by_ref()).count() != 1 {
+        if rustls_pki_types::pem::PemObject::from_pem_slice(cert_str.as_bytes()).is_err() {
             return Err(AnkiError::InvalidCertificateFormat);
         }