diff --git a/rustls/Cargo.toml b/rustls/Cargo.toml
index 612a31803c..971e32ab6b 100644
--- a/rustls/Cargo.toml
+++ b/rustls/Cargo.toml
@@ -19,7 +19,7 @@ rustversion = { version = "1.0.6", optional = true }
 log = { version = "0.4.4", optional = true }
 ring = "0.16.20"
 sct = "0.7.0"
-webpki = { package = "rustls-webpki", version = "0.101.0", features = ["alloc", "std"] }
+webpki = { package = "rustls-webpki", version = "0.101.2", features = ["alloc", "std"] }
 
 [features]
 default = ["logging", "tls12"]
diff --git a/rustls/src/verify.rs b/rustls/src/verify.rs
index 1c9abdcc1f..8e3e065e1e 100644
--- a/rustls/src/verify.rs
+++ b/rustls/src/verify.rs
@@ -343,11 +343,13 @@ pub fn verify_server_cert_signed_by_trust_anchor(
     let webpki_now = webpki::Time::try_from(now).map_err(|_| Error::FailedToGetCurrentTime)?;
 
     cert.0
-        .verify_is_valid_tls_server_cert(
+        .verify_for_usage(
             SUPPORTED_SIG_ALGS,
-            &webpki::TlsServerTrustAnchors(&trust_roots),
+            &trust_roots,
             &chain,
             webpki_now,
+            webpki::KeyUsage::server_auth(),
+            &[], // no CRLs
         )
         .map_err(pki_error)
         .map(|_| ())
@@ -633,11 +635,12 @@ impl ClientCertVerifier for AllowAnyAuthenticatedClient {
             .collect::<Vec<_>>();
 
         cert.0
-            .verify_is_valid_tls_client_cert(
+            .verify_for_usage(
                 SUPPORTED_SIG_ALGS,
-                &webpki::TlsClientTrustAnchors(&trust_roots),
+                &trust_roots,
                 &chain,
                 now,
+                webpki::KeyUsage::client_auth(),
                 crls.as_slice(),
             )
             .map_err(pki_error)