diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index e7047d64..d5401123 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -23,7 +23,7 @@ jobs:
             cross: true
             target_file: target/x86_64-unknown-linux-musl/release/quill
             asset_name: quill-linux-x86_64-musl
-            features: [static-ssl]
+            features: []
           - os: windows-latest
             name: windows
             target_file: target/release/quill.exe
@@ -40,7 +40,7 @@ jobs:
             cross: true
             target_file: target/arm-unknown-linux-gnueabihf/release/quill
             asset_name: quill-linux-arm32
-            features: [static-ssl, hsm]
+            features: [hsm]
           - os: ubuntu-latest
             name: linux
             target_file: target/release/quill
@@ -78,7 +78,7 @@ jobs:
           command: build
           args: |
             ${{ matrix.target && format('--target {0}', matrix.target) }} 
-            ${{ matrix.features && format('--no-default-features --features {0}', join(matrix.features)) }}
+            ${{ matrix.features && format('--no-default-features --features "{0}"', join(matrix.features)) }}
             --release --locked
 
       - name: Upload binaries to release
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index f8efc90d..7409827b 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -30,4 +30,4 @@ Every change to the command-line interface must contain documentation; we use `c
 
 ## Miscellaneous
 
-Quill employs optional Cargo features for different platforms. Ensure your contribution builds (and lints) on all configurations - this can be automated with the [`cargo-hack`](https://github.com/taiki-e/cargo-hack) tool, as `cargo hack clippy --feature-powerset --features static-ssl`.
+Quill employs optional Cargo features for different platforms. Ensure your contribution builds (and lints) on all configurations - this can be automated with the [`cargo-hack`](https://github.com/taiki-e/cargo-hack) tool, as `cargo hack clippy --feature-powerset`.
diff --git a/Cargo.lock b/Cargo.lock
index bde6f44a..687b046a 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1499,21 +1499,6 @@ version = "1.0.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "3f9eec918d3f24069decb9af1554cad7c880e2da24a9afd88aca000531ab82c1"
 
-[[package]]
-name = "foreign-types"
-version = "0.3.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f6f339eb8adc052cd2ca78910fda869aefa38d22d5cb648e6485e4d3fc06f3b1"
-dependencies = [
- "foreign-types-shared",
-]
-
-[[package]]
-name = "foreign-types-shared"
-version = "0.1.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "00b0228411908ca8685dba7fc2cdd70ec9990a6e753e89b6ac91a84c40fbaf4b"
-
 [[package]]
 name = "form_urlencoded"
 version = "1.2.1"
@@ -4040,54 +4025,6 @@ version = "0.3.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "624a8340c38c1b80fd549087862da4ba43e08858af025b236e509b6649fc13d5"
 
-[[package]]
-name = "openssl"
-version = "0.10.63"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "15c9d69dd87a29568d4d017cfe8ec518706046a05184e5aea92d0af890b803c8"
-dependencies = [
- "bitflags 2.4.2",
- "cfg-if",
- "foreign-types",
- "libc",
- "once_cell",
- "openssl-macros",
- "openssl-sys",
-]
-
-[[package]]
-name = "openssl-macros"
-version = "0.1.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "a948666b637a0f465e8564c73e89d4dde00d72d4d473cc972f390fc3dcee7d9c"
-dependencies = [
- "proc-macro2",
- "quote",
- "syn 2.0.48",
-]
-
-[[package]]
-name = "openssl-src"
-version = "300.2.1+3.2.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3fe476c29791a5ca0d1273c697e96085bbabbbea2ef7afd5617e78a4b40332d3"
-dependencies = [
- "cc",
-]
-
-[[package]]
-name = "openssl-sys"
-version = "0.9.99"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "22e1bf214306098e4832460f797824c05d25aacdf896f64a985fb0fd992454ae"
-dependencies = [
- "cc",
- "libc",
- "openssl-src",
- "pkg-config",
- "vcpkg",
-]
-
 [[package]]
 name = "os_str_bytes"
 version = "6.6.1"
@@ -4603,7 +4540,6 @@ dependencies = [
  "ledger-transport-hid",
  "num-bigint 0.4.4",
  "once_cell",
- "openssl",
  "pem 1.1.1",
  "qrcodegen",
  "rand",
@@ -4615,6 +4551,7 @@ dependencies = [
  "serde_cbor",
  "serde_json",
  "serial_test",
+ "sha2 0.10.8",
  "sha3",
  "shellwords",
  "simple_asn1",
@@ -5943,12 +5880,6 @@ version = "1.7.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "f00cc9702ca12d3c81455259621e676d0f7251cec66a21e98fe2e9a37db93b2a"
 
-[[package]]
-name = "vcpkg"
-version = "0.2.15"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "accd4ea62f7bb7a82fe23066fb0957d48ef677f6eeb8215f372f52e48bb32426"
-
 [[package]]
 name = "version_check"
 version = "0.9.4"
diff --git a/Cargo.toml b/Cargo.toml
index c25531c8..52ec9c3e 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -49,7 +49,6 @@ ledger-apdu = { version = "0.10", optional = true }
 ledger-transport-hid = { version = "0.10", optional = true }
 num-bigint = "0.4.3"
 once_cell = "1.17.1"
-openssl = "0.10.48"
 pem = "1.0.1"
 qrcodegen = "1.8"
 rand = { version = "0.8.4", features = ["getrandom"] }
@@ -61,6 +60,7 @@ serde = { version = "1.0.130", features = ["derive"] }
 serde_bytes = "0.11.2"
 serde_cbor = "0.11.2"
 serde_json = "1.0.57"
+sha2 = "0.10.8"
 sha3 = "0.10.6"
 tiny-bip39 = "1.0.0"
 tokio = { version = "1.18.5", features = ["full"] }
@@ -71,10 +71,9 @@ shellwords = "1"
 serial_test = "2.0.0"
 
 [features]
-static-ssl = ["openssl/vendored"]
 hsm = ["dep:ic-identity-hsm"]
 ledger = ["dep:hidapi", "dep:ledger-apdu", "dep:ledger-transport-hid"]
-default = ["static-ssl", "hsm", "ledger"]
+default = ["hsm", "ledger"]
 
 [profile.release]
 opt-level = 2
diff --git a/README.md b/README.md
index d8aefeb6..6d2a984a 100644
--- a/README.md
+++ b/README.md
@@ -126,22 +126,15 @@ cargo build --release --locked
 
 After this, find the binary at `target/release/quill`.
 
-Quill has three optional features, all activated by default:
+Quill has two optional features, all activated by default:
 
-- `static-ssl`, to build OpenSSL from source instead of dynamically linking a preinstalled version (requires a C compiler)
 - `hsm`, to enable PKCS#11 HSM support (requires runtime dynamic linking)
 - `ledger`, to enable Ledger Nano support (requires runtime dynamic linking, and incompatible with armv6)
 
-To build a version of Quill that links OpenSSL dynamically, but retains HSM support, run:
-
-```sh
-cargo build --release --locked --no-default-features --features hsm,ledger
-```
-
 To build a version of Quill compatible with statically-linked-only environments, such as Alpine, run:
 
 ```sh
-cargo build --release --locked --no-default-features --feature static-ssl
+cargo build --release --locked --no-default-features
 ```
 
 ### Building with Docker/Podman
diff --git a/scripts/workflows/provision-linux-build.sh b/scripts/workflows/provision-linux-build.sh
index 20ca6664..9ede377c 100755
--- a/scripts/workflows/provision-linux-build.sh
+++ b/scripts/workflows/provision-linux-build.sh
@@ -12,4 +12,4 @@ if [[ $# = 1 ]]; then # docker
 fi
 
 sudo apt-get update -y
-sudo apt-get install "libudev-dev${arch-}" libssl-dev -y
+sudo apt-get install "libudev-dev${arch-}" -y
diff --git a/scripts/workflows/provision-windows-build.ps1 b/scripts/workflows/provision-windows-build.ps1
index e280a203..12508285 100755
--- a/scripts/workflows/provision-windows-build.ps1
+++ b/scripts/workflows/provision-windows-build.ps1
@@ -1,7 +1,4 @@
 Set-StrictMode -Version 2
 $ErrorActionPreference = 'Stop'
 
-vcpkg integrate install
-vcpkg install openssl:x64-windows-static-md
-'OPENSSL_DIR=C:\vcpkg\installed\x64-windows-static-md' >> $env:GITHUB_ENV
-'OPENSSL_STATIC=Yes' >> $env:GITHUB_ENV
+# nothing for now
diff --git a/src/commands/ckbtc.rs b/src/commands/ckbtc.rs
index 1967c3b9..68587131 100644
--- a/src/commands/ckbtc.rs
+++ b/src/commands/ckbtc.rs
@@ -4,8 +4,8 @@ use anyhow::bail;
 use candid::{Nat, Principal};
 use clap::Subcommand;
 use icrc_ledger_types::icrc1::account::Account;
-use openssl::sha::Sha256;
 use rust_decimal::Decimal;
+use sha2::{Digest, Sha256};
 
 use crate::lib::{ckbtc_minter_canister_id, AnyhowResult, AuthInfo};
 
@@ -83,13 +83,13 @@ impl FromStr for Btc {
 fn ckbtc_withdrawal_address(user: &Principal, testnet: bool) -> Account {
     const DOMAIN: &str = "ckbtc";
     let mut hasher = Sha256::new();
-    hasher.update(&[DOMAIN.len() as u8]);
+    hasher.update([DOMAIN.len() as u8]);
     hasher.update(DOMAIN.as_bytes());
     hasher.update(user.as_slice());
-    hasher.update(&[0; 8]);
+    hasher.update([0; 8]);
     Account {
         owner: ckbtc_minter_canister_id(testnet),
-        subaccount: Some(hasher.finish()),
+        subaccount: Some(hasher.finalize().into()),
     }
 }
 
diff --git a/src/commands/claim_neurons.rs b/src/commands/claim_neurons.rs
index 9828e73b..3253ff8e 100644
--- a/src/commands/claim_neurons.rs
+++ b/src/commands/claim_neurons.rs
@@ -5,11 +5,10 @@ use crate::lib::{
     signing::{sign_ingress_with_request_status_query, IngressWithRequestId},
     AnyhowResult, AuthInfo, ROLE_NNS_GTC,
 };
-use anyhow::anyhow;
+use anyhow::{anyhow, Context};
 use candid::Encode;
 use clap::Parser;
-use openssl::bn::BigNumContext;
-use openssl::ec::{EcKey, PointConversionForm};
+use k256::{elliptic_curve::sec1::ToEncodedPoint, SecretKey};
 
 /// Claim seed neurons from the Genesis Token Canister.
 #[derive(Parser)]
@@ -17,16 +16,15 @@ pub struct ClaimNeuronOpts;
 
 pub fn exec(auth: &AuthInfo) -> AnyhowResult<Vec<IngressWithRequestId>> {
     if let AuthInfo::PemFile(pem) = auth {
-        let private_key = EcKey::private_key_from_pem(pem.as_bytes())?;
-        let group = private_key.group();
-        let public_key = EcKey::from_public_key(group, private_key.public_key())?;
-        let mut context = BigNumContext::new()?;
-        let bytes = public_key.public_key().to_bytes(
-            public_key.group(),
-            PointConversionForm::UNCOMPRESSED,
-            &mut context,
-        )?;
-        let sig = Encode!(&hex::encode(bytes))?;
+        let keyinfo = pem::parse_many(pem)?
+            .into_iter()
+            .find(|p| p.tag == "EC PRIVATE KEY")
+            .context("Pem file did not contain sec1 key")?;
+        let point = SecretKey::from_sec1_der(&keyinfo.contents)
+            .map_err(|e| anyhow!("could not load pem file: {e}"))?
+            .public_key()
+            .to_encoded_point(false);
+        let sig = Encode!(&hex::encode(point.as_bytes()))?;
 
         Ok(vec![sign_ingress_with_request_status_query(
             auth,
diff --git a/src/commands/neuron_stake.rs b/src/commands/neuron_stake.rs
index f3f6c461..42d70df1 100644
--- a/src/commands/neuron_stake.rs
+++ b/src/commands/neuron_stake.rs
@@ -14,6 +14,7 @@ use candid::{CandidType, Encode, Principal};
 use clap::Parser;
 use ic_nns_constants::GOVERNANCE_CANISTER_ID;
 use icp_ledger::{AccountIdentifier, Subaccount, Tokens};
+use sha2::{Digest, Sha256};
 
 #[derive(CandidType)]
 pub struct ClaimOrRefreshNeuronFromAccount {
@@ -103,13 +104,12 @@ pub fn exec(auth: &AuthInfo, opts: StakeOpts) -> AnyhowResult<Vec<IngressWithReq
 // This function _must_ correspond to how the governance canister computes the
 // subaccount.
 fn get_neuron_subaccount(controller: &Principal, nonce: u64) -> Subaccount {
-    use openssl::sha::Sha256;
     let mut data = Sha256::new();
-    data.update(&[0x0c]);
+    data.update([0x0c]);
     data.update(b"neuron-stake");
     data.update(controller.as_slice());
-    data.update(&nonce.to_be_bytes());
-    Subaccount(data.finish())
+    data.update(nonce.to_be_bytes());
+    Subaccount(data.finalize().into())
 }
 
 fn convert_name_to_nonce(name: &str) -> u64 {