diff --git a/convert_ec_to_pkcs8.sh b/convert_ec_to_pkcs8.sh
deleted file mode 100755
index 82b138d..0000000
--- a/convert_ec_to_pkcs8.sh
+++ /dev/null
@@ -1,10 +0,0 @@
-#!/bin/bash
-
-in_key=$1
-out_key=$2
-if [[ $1 = "" ]] || [[ $2 = "" ]]; then
-  echo "Usage: $0 <EC_KEY_FILE> <PKCS8_KEY_FILE>"
-  exit 1
-fi
-
-openssl pkcs8 -topk8 -nocrypt -in "$in_key" -out "$out_key"
diff --git a/src/pem_util.rs b/src/pem_util.rs
index cec255e..19efc79 100644
--- a/src/pem_util.rs
+++ b/src/pem_util.rs
@@ -1,6 +1,8 @@
+use anyhow::bail;
 use anyhow::Context;
 use anyhow::Result;
 use rustls::{Certificate, PrivateKey};
+use rustls_pemfile::Item;
 use std::{fs::File, io::BufReader};
 
 pub fn load_certificates_from_pem(path: &str) -> Result<Vec<Certificate>> {
@@ -13,12 +15,13 @@ pub fn load_certificates_from_pem(path: &str) -> Result<Vec<Certificate>> {
 pub fn load_private_key_from_pem(path: &str) -> Result<PrivateKey> {
     let file = File::open(path)?;
     let mut reader = BufReader::new(&file);
-    let mut keys = rustls_pemfile::pkcs8_private_keys(&mut reader)?;
-    if keys.is_empty() {
-        let mut reader = BufReader::new(&file);
-        keys = rustls_pemfile::rsa_private_keys(&mut reader)?;
-    }
 
-    let first_key = keys.first().context("failed to load private key")?;
-    Ok(PrivateKey(first_key.to_owned()))
+    let key = match rustls_pemfile::read_one(&mut reader).context("failed to read private key")? {
+        Some(Item::RSAKey(key)) => key,
+        Some(Item::PKCS8Key(key)) => key,
+        Some(Item::ECKey(key)) => key,
+        _ => bail!("unexpected private key"),
+    };
+
+    Ok(PrivateKey(key.to_owned()))
 }