diff --git a/src/tests/verification_real_world/update_valid_ee_certs.bash b/src/tests/verification_real_world/update_valid_ee_certs.bash
deleted file mode 100755
index 0eb95beb..00000000
--- a/src/tests/verification_real_world/update_valid_ee_certs.bash
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/usr/bin/env bash
-
-set -euo pipefail
-
-DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
-
-fetch_ee_cert() {
-  local domain="$1"
-  local out_file="$2"
-
-  echo -n |
-    openssl s_client \
-      -connect "$domain:443" \
-      -servername "$domain" |
-    openssl x509 \
-      -outform DER > "$DIR/$out_file"
-}
-
-fetch_ee_cert "my.1password.com" "1password_com_valid_1.crt"
-fetch_ee_cert "agilebits.com" "agilebits_com_valid_1.crt"
-fetch_ee_cert "lencr.org" "letsencrypt_org_valid_1.crt"
diff --git a/src/tests/verification_real_world/update_valid_ee_certs.rs b/src/tests/verification_real_world/update_valid_ee_certs.rs
new file mode 100755
index 00000000..21ee35ed
--- /dev/null
+++ b/src/tests/verification_real_world/update_valid_ee_certs.rs
@@ -0,0 +1,41 @@
+#!/usr/bin/env cargo +nightly -Z script
+```cargo
+package.edition = "2021"
+dependencies.anyhow = "1"
+dependencies.reqwest.version = "0.11"
+dependencies.reqwest.features = ["blocking"]
+```
+
+use std::{fs, path::Path};
+
+fn main() -> anyhow::Result<()> {
+    for (domain, output_path) in [
+        ("my.1password.com", "1password_com_valid_1.crt"),
+        ("agilebits.com", "agilebits_com_valid_1.crt"),
+        ("lencr.org", "letsencrypt_org_valid_1.crt"),
+    ] {
+        query(domain, output_path)?;
+    }
+    Ok(())
+}
+
+fn query(domain: &str, path: &str) -> anyhow::Result<()> {
+    let url = format!("https://{domain}");
+    let response = reqwest::blocking::Client::builder()
+        .tls_info(true)
+        // avoids agilebits.com redirect, which will result in the wrong cert...
+        // we want the cert of agilebits.com, not of 1password.com
+        .redirect(reqwest::redirect::Policy::none())
+        .build()?
+        .get(url)
+        .send()?;
+    let tls_info: Option<&reqwest::tls::TlsInfo> = response.extensions().get();
+    if let Some(tls_info) = tls_info {
+        if let Some(der) = tls_info.peer_certificate() {
+            let path = Path::new(env!("CARGO_MANIFEST_DIR")).join(path);
+            eprintln!("writing DER of {domain} to {}", path.display());
+            fs::write(path, der)?;
+        }
+    }
+    Ok(())
+}