diff --git a/libfreerdp/core/connection.c b/libfreerdp/core/connection.c
index 319491d19..370838e27 100644
--- a/libfreerdp/core/connection.c
+++ b/libfreerdp/core/connection.c
@@ -39,6 +39,9 @@
 #include <freerdp/cache/pointer.h>
 
 #include "../crypto/crypto.h"
+#include "../crypto/privatekey.h"
+#include "../crypto/certificate.h"
+
 #include "utils.h"
 
 #define TAG FREERDP_TAG("core.connection")
@@ -698,16 +701,15 @@ static const BYTE fips_ivec[8] = { 0x12, 0x34, 0x56, 0x78, 0x90, 0xAB, 0xCD, 0xE
 
 static BOOL rdp_client_establish_keys(rdpRdp* rdp)
 {
-	BYTE* mod;
-	BYTE* exp;
-	wStream* s;
-	UINT32 length;
-	UINT32 key_len;
+	BYTE* mod = NULL;
+	BYTE* exp = NULL;
+	wStream* s = NULL;
+	UINT32 length = 0;
+	UINT32 key_len = 0;
 	int status = 0;
 	BOOL ret = FALSE;
-	rdpSettings* settings;
+	rdpSettings* settings = rdp->settings;
 	BYTE* crypt_client_random = NULL;
-	settings = rdp->settings;
 
 	if (!settings->UseRdpSecurityLayer)
 	{
@@ -724,8 +726,9 @@ static BOOL rdp_client_establish_keys(rdpRdp* rdp)
 		return FALSE;
 	winpr_RAND(settings->ClientRandom, settings->ClientRandomLength);
 
-	WINPR_ASSERT(settings->RdpServerCertificate);
-	const rdpCertInfo* info = &settings->RdpServerCertificate->cert_info;
+	const rdpCertInfo* info = freerdp_certificate_get_info(settings->RdpServerCertificate);
+	if (!info)
+		return FALSE;
 
 	/*
 	 * client random must be (bitlen / 8) + 8 - see [MS-RDPBCGR] 5.3.4.1
@@ -829,7 +832,7 @@ static BOOL rdp_update_client_random(rdpSettings* settings, const BYTE* crypt_ra
 	const rdpRsaKey* rsa = freerdp_settings_get_pointer(settings, FreeRDP_RdpServerRsaKey);
 	WINPR_ASSERT(rsa);
 
-	const rdpCertInfo* cinfo = &rsa->cert;
+	const rdpCertInfo* cinfo = freerdp_key_get_info(rsa);
 	WINPR_ASSERT(cinfo);
 
 	if (crypt_random_len != cinfo->ModulusLength + 8)
diff --git a/libfreerdp/core/gateway/http.c b/libfreerdp/core/gateway/http.c
index 33d5a5031..c8614a494 100644
--- a/libfreerdp/core/gateway/http.c
+++ b/libfreerdp/core/gateway/http.c
@@ -27,6 +27,7 @@
 #include <winpr/string.h>
 
 #include <freerdp/log.h>
+#include <freerdp/crypto/crypto.h>
 
 /* websocket need sha1 for Sec-Websocket-Accept */
 #include <winpr/crypto.h>
diff --git a/libfreerdp/core/gateway/rpc.c b/libfreerdp/core/gateway/rpc.c
index 56c8f867f..8176a36a9 100644
--- a/libfreerdp/core/gateway/rpc.c
+++ b/libfreerdp/core/gateway/rpc.c
@@ -30,8 +30,6 @@
 
 #include <freerdp/log.h>
 
-#include <openssl/bio.h>
-
 #ifdef FREERDP_HAVE_VALGRIND_MEMCHECK_H
 #include <valgrind/memcheck.h>
 #endif
diff --git a/libfreerdp/core/gcc.c b/libfreerdp/core/gcc.c
index 0e52f3561..3b05767ac 100644
--- a/libfreerdp/core/gcc.c
+++ b/libfreerdp/core/gcc.c
@@ -27,10 +27,13 @@
 
 #include <freerdp/log.h>
 #include <freerdp/utils/string.h>
+#include <freerdp/crypto/certificate.h>
 
 #include "utils.h"
 #include "gcc.h"
-#include "certificate.h"
+#include "nego.h"
+
+#include "../crypto/certificate.h"
 
 #define TAG FREERDP_TAG("core.gcc")
 
@@ -1638,7 +1641,7 @@ BOOL gcc_read_server_security_data(wStream* s, rdpMcs* mcs)
 	data = settings->ServerCertificate;
 	length = settings->ServerCertificateLength;
 
-	if (!certificate_read_server_certificate(settings->RdpServerCertificate, data, length))
+	if (!freerdp_certificate_read_server_cert(settings->RdpServerCertificate, data, length))
 		goto fail;
 
 	return TRUE;
@@ -1822,7 +1825,7 @@ BOOL gcc_write_server_security_data(wStream* s, rdpMcs* mcs)
 	Stream_Seek_UINT32(s); /* serverCertLen */
 	Stream_Write(s, settings->ServerRandom, settings->ServerRandomLength);
 
-	const SSIZE_T len = certificate_write_server_certificate(
+	const SSIZE_T len = freerdp_certificate_write_server_cert(
 	    settings->RdpServerCertificate, CERT_TEMPORARILY_ISSUED | CERT_CHAIN_VERSION_1, s);
 	if (len < 0)
 		return FALSE;
diff --git a/libfreerdp/core/peer.c b/libfreerdp/core/peer.c
index 4d9be9e58..98ad4eeab 100644
--- a/libfreerdp/core/peer.c
+++ b/libfreerdp/core/peer.c
@@ -26,11 +26,11 @@
 
 #include "info.h"
 #include "display.h"
-#include "certificate.h"
 
 #include <freerdp/log.h>
 #include <freerdp/streamdump.h>
 #include <freerdp/redirection.h>
+#include <freerdp/crypto/certificate.h>
 
 #include "rdp.h"
 #include "peer.h"
@@ -250,7 +250,7 @@ static BOOL freerdp_peer_initialize(freerdp_peer* client)
 
 	if (settings->PrivateKeyFile)
 	{
-		settings->RdpServerRsaKey = key_new(settings->PrivateKeyFile);
+		settings->RdpServerRsaKey = freerdp_key_new_from_file(settings->PrivateKeyFile);
 
 		if (!settings->RdpServerRsaKey)
 		{
@@ -260,7 +260,7 @@ static BOOL freerdp_peer_initialize(freerdp_peer* client)
 	}
 	else if (settings->PrivateKeyContent)
 	{
-		settings->RdpServerRsaKey = key_new_from_content(settings->PrivateKeyContent, NULL);
+		settings->RdpServerRsaKey = freerdp_key_new_from_pem(settings->PrivateKeyContent);
 
 		if (!settings->RdpServerRsaKey)
 		{