diff --git a/ntp-proto/src/nts_record.rs b/ntp-proto/src/nts_record.rs
index 72fec91e7..ec7abaacc 100644
--- a/ntp-proto/src/nts_record.rs
+++ b/ntp-proto/src/nts_record.rs
@@ -1328,7 +1328,7 @@ pub struct KeyExchangeServer {
     state: State,
     keyset: Arc<KeySet>,
     #[cfg(feature = "nts-pool")]
-    pool_certificates: Arc<Vec<rustls::Certificate>>,
+    pool_certificates: Arc<[rustls::Certificate]>,
 }
 
 #[derive(Debug)]
@@ -1552,7 +1552,7 @@ impl KeyExchangeServer {
     pub fn new(
         tls_config: Arc<rustls::ServerConfig>,
         keyset: Arc<KeySet>,
-        pool_certificates: Arc<Vec<rustls::Certificate>>,
+        pool_certificates: Arc<[rustls::Certificate]>,
     ) -> Result<Self, KeyExchangeError> {
         // Ensure we send only ntske/1 as alpn
         debug_assert_eq!(tls_config.alpn_protocols, &[b"ntske/1".to_vec()]);
@@ -2475,7 +2475,7 @@ mod test {
         let client =
             KeyExchangeClient::new_without_tls_write("localhost".into(), clientconfig).unwrap();
         let server =
-            KeyExchangeServer::new(Arc::new(serverconfig), keyset, Arc::new(pool_cert)).unwrap();
+            KeyExchangeServer::new(Arc::new(serverconfig), keyset, pool_cert.into()).unwrap();
 
         (client, server)
     }
diff --git a/ntpd/src/daemon/keyexchange.rs b/ntpd/src/daemon/keyexchange.rs
index 8aed3242d..debd5e64a 100644
--- a/ntpd/src/daemon/keyexchange.rs
+++ b/ntpd/src/daemon/keyexchange.rs
@@ -165,7 +165,7 @@ async fn key_exchange_server(
     let listener = TcpListener::bind(&address).await?;
 
     let config = build_server_config(certificate_chain, private_key)?;
-    let pool_certs = Arc::new(pool_certs);
+    let pool_certs = Arc::<[_]>::from(pool_certs);
 
     loop {
         let (stream, peer_addr) = listener.accept().await?;
@@ -334,7 +334,7 @@ where
         io: IO,
         config: Arc<rustls::ServerConfig>,
         keyset: Arc<KeySet>,
-        pool_certs: Arc<Vec<rustls::Certificate>>,
+        pool_certs: Arc<[rustls::Certificate]>,
     ) -> Result<Self, KeyExchangeError> {
         let data = BoundKeyExchangeServerData {
             io,
@@ -349,7 +349,7 @@ where
         io: IO,
         config: Arc<rustls::ServerConfig>,
         keyset: Arc<KeySet>,
-        pool_certs: Arc<Vec<rustls::Certificate>>,
+        pool_certs: Arc<[rustls::Certificate]>,
     ) -> Result<(), KeyExchangeError> {
         let this = Self::new(io, config, keyset, pool_certs)?;
 
@@ -723,7 +723,7 @@ mod tests {
         let private_key = private_key_from_bufread(pk.as_slice()).unwrap().unwrap();
 
         let config = build_server_config(certificate_chain, private_key).unwrap();
-        let pool_certs = Arc::new(vec![]);
+        let pool_certs = Arc::<[_]>::from(vec![]);
 
         let (stream, _) = listener.accept().await.unwrap();