diff --git a/Cargo.toml b/Cargo.toml
index 1fce9ca..33f2b2e 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -48,7 +48,7 @@ pgp = "0.15"
 pkcs8 = { version = "0.10" }
 reqwest = { version = "0.12", features = ["json"] }
 rsa = { version = "0.9.6", features = ["sha2", "pem"] }
-rustls = { version = "0.23.20" }
+rustls = { version = "0.23.20", default-features = false, features = ["std", "logging", "tls12", "ring"] }
 secp256k1 = { version = "0.30", features = ["rand", "global-context"] }
 serde = { version = "1", features = ["derive", "rc"] }
 serde_json = "1"
diff --git a/bin/tee-vault-admin/src/main.rs b/bin/tee-vault-admin/src/main.rs
index 6972217..d8574a9 100644
--- a/bin/tee-vault-admin/src/main.rs
+++ b/bin/tee-vault-admin/src/main.rs
@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: Apache-2.0
-// Copyright (c) 2023-2024 Matter Labs
+// Copyright (c) 2023-2025 Matter Labs
 
 //! Server to handle requests to the Vault TEE
 
@@ -9,26 +9,27 @@ mod command;
 mod digest;
 mod sign;
 
-use actix_web::web::Data;
-use actix_web::{web, App, HttpServer};
+use actix_web::{web, web::Data, App, HttpServer};
 use anyhow::{Context, Result};
 use clap::Parser;
 use command::post_command;
 use digest::get_digest;
 use rustls::ServerConfig;
 use sign::post_sign;
-use std::net::Ipv6Addr;
-use std::sync::Arc;
-use teepot::json::http::{SignRequest, VaultCommandRequest, DIGEST_URL};
-use teepot::server::attestation::{get_quote_and_collateral, VaultAttestationArgs};
-use teepot::server::new_json_cfg;
-use teepot::server::pki::make_self_signed_cert;
-use teepot::sgx::{parse_tcb_levels, EnumSet, TcbLevel};
+use std::{net::Ipv6Addr, sync::Arc};
+use teepot::{
+    json::http::{SignRequest, VaultCommandRequest, DIGEST_URL},
+    server::{
+        attestation::{get_quote_and_collateral, VaultAttestationArgs},
+        new_json_cfg,
+        pki::make_self_signed_cert,
+    },
+    sgx::{parse_tcb_levels, EnumSet, TcbLevel},
+};
 use tracing::{error, info};
 use tracing_actix_web::TracingLogger;
 use tracing_log::LogTracer;
-use tracing_subscriber::Registry;
-use tracing_subscriber::{fmt, prelude::*, EnvFilter};
+use tracing_subscriber::{fmt, prelude::*, EnvFilter, Registry};
 
 /// Server state
 pub struct ServerState {
@@ -70,6 +71,8 @@ async fn main() -> Result<()> {
         // don't return for now, we can still serve requests but we won't be able to attest
     }
 
+    let _ = rustls::crypto::ring::default_provider().install_default();
+
     // init server config builder with safe defaults
     let config = ServerConfig::builder()
         .with_no_client_auth()
@@ -78,8 +81,6 @@ async fn main() -> Result<()> {
 
     info!("Starting HTTPS server at port {}", args.port);
 
-    info!("Quote verified! Connection secure!");
-
     let server_state = Arc::new(ServerState {
         report_data,
         vault_attestation: args.attestation,
diff --git a/bin/tee-vault-unseal/src/main.rs b/bin/tee-vault-unseal/src/main.rs
index b3db5c4..65ffb4f 100644
--- a/bin/tee-vault-unseal/src/main.rs
+++ b/bin/tee-vault-unseal/src/main.rs
@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: Apache-2.0
-// Copyright (c) 2023-2024 Matter Labs
+// Copyright (c) 2023-2025 Matter Labs
 
 //! Server to initialize and unseal the Vault TEE.
 
@@ -9,27 +9,33 @@
 mod init;
 mod unseal;
 
-use actix_web::rt::time::sleep;
-use actix_web::web::Data;
-use actix_web::{web, App, HttpServer};
+use actix_web::{rt::time::sleep, web, web::Data, App, HttpServer};
 use anyhow::{bail, Context, Result};
 use awc::Client;
 use clap::Parser;
 use init::post_init;
 use rustls::ServerConfig;
-use std::fmt::Debug;
-use std::io::Read;
-use std::net::Ipv6Addr;
-use std::path::PathBuf;
-use std::sync::{Arc, RwLock};
-use std::time::Duration;
-use teepot::client::{AttestationArgs, TeeConnection};
-use teepot::json::http::{Init, Unseal};
-use teepot::json::secrets::AdminConfig;
-use teepot::server::attestation::{get_quote_and_collateral, VaultAttestationArgs};
-use teepot::server::new_json_cfg;
-use teepot::server::pki::make_self_signed_cert;
-use teepot::sgx::{parse_tcb_levels, EnumSet, TcbLevel};
+use std::{
+    fmt::Debug,
+    io::Read,
+    net::Ipv6Addr,
+    path::PathBuf,
+    sync::{Arc, RwLock},
+    time::Duration,
+};
+use teepot::{
+    client::{AttestationArgs, TeeConnection},
+    json::{
+        http::{Init, Unseal},
+        secrets::AdminConfig,
+    },
+    server::{
+        attestation::{get_quote_and_collateral, VaultAttestationArgs},
+        new_json_cfg,
+        pki::make_self_signed_cert,
+    },
+    sgx::{parse_tcb_levels, EnumSet, TcbLevel},
+};
 use tracing::{error, info};
 use tracing_log::LogTracer;
 use tracing_subscriber::{fmt, prelude::*, EnvFilter, Registry};
@@ -136,6 +142,8 @@ async fn main() -> Result<()> {
 
     let (report_data, cert_chain, priv_key) = make_self_signed_cert("CN=localhost", None)?;
 
+    let _ = rustls::crypto::ring::default_provider().install_default();
+
     // init server config builder with safe defaults
     let config = ServerConfig::builder()
         .with_no_client_auth()
diff --git a/bin/vault-admin/README.md b/bin/vault-admin/README.md
index 7685279..fb9151f 100644
--- a/bin/vault-admin/README.md
+++ b/bin/vault-admin/README.md
@@ -9,7 +9,7 @@
 Verified signature for `81A312C59D679D930FA9E8B06D728F29A2DBABF8`
 
 ❯ RUST_LOG=info cargo run -p vault-admin -- \
-  send \
+  command \
    --sgx-mrsigner c5591a72b8b86e0d8814d6e8750e3efe66aea2d102b8ba2405365559b858697d \
    --sgx-allowed-tcb-levels SwHardeningNeeded \
    --server https://127.0.0.1:8444 \
diff --git a/bin/vault-admin/src/main.rs b/bin/vault-admin/src/main.rs
index eb123ef..1739313 100644
--- a/bin/vault-admin/src/main.rs
+++ b/bin/vault-admin/src/main.rs
@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: Apache-2.0
-// Copyright (c) 2023-2024 Matter Labs
+// Copyright (c) 2023-2025 Matter Labs
 
 use anyhow::{anyhow, bail, Context, Result};
 use clap::{Args, Parser, Subcommand};
@@ -117,8 +117,6 @@ async fn main() -> Result<()> {
         &args.log_level,
     )?)?;
 
-    info!("Quote verified! Connection secure!");
-
     match args.cmd {
         SubCommands::Command(args) => send_commands(args).await?,
         SubCommands::SignTee(args) => send_sig_request(args).await?,
diff --git a/crates/teepot/src/client/mod.rs b/crates/teepot/src/client/mod.rs
index ea59e8c..dc76066 100644
--- a/crates/teepot/src/client/mod.rs
+++ b/crates/teepot/src/client/mod.rs
@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: Apache-2.0
-// Copyright (c) 2023-2024 Matter Labs
+// Copyright (c) 2023-2025 Matter Labs
 
 //! Helper functions for CLI clients to verify Intel SGX enclaves and other TEEs.
 
@@ -8,29 +8,36 @@
 
 pub mod vault;
 
-pub use crate::quote::verify_quote_with_collateral;
-pub use crate::quote::QuoteVerificationResult;
-use crate::quote::Report;
-use crate::server::pki::{RaTlsCollateralExtension, RaTlsQuoteExtension};
-use crate::sgx::Quote;
-pub use crate::sgx::{parse_tcb_levels, sgx_ql_qv_result_t, EnumSet, TcbLevel};
+use crate::{
+    quote::Report,
+    server::pki::{RaTlsCollateralExtension, RaTlsQuoteExtension},
+    sgx::Quote,
+};
+pub use crate::{
+    quote::{verify_quote_with_collateral, QuoteVerificationResult},
+    sgx::{parse_tcb_levels, sgx_ql_qv_result_t, EnumSet, TcbLevel},
+};
 use actix_web::http::header;
 use anyhow::Result;
 use awc::{Client, Connector};
 use clap::Args;
 use const_oid::AssociatedOid;
 use intel_tee_quote_verification_rs::Collateral;
-use rustls::client::danger::{HandshakeSignatureValid, ServerCertVerifier};
-use rustls::client::WebPkiServerVerifier;
-use rustls::pki_types::{CertificateDer, ServerName, UnixTime};
-use rustls::{ClientConfig, DigitallySignedStruct, Error, SignatureScheme};
+use rustls::{
+    client::{
+        danger::{HandshakeSignatureValid, ServerCertVerifier},
+        WebPkiServerVerifier,
+    },
+    pki_types::{CertificateDer, ServerName, UnixTime},
+    ClientConfig, DigitallySignedStruct, Error, SignatureScheme,
+};
 use sha2::{Digest, Sha256};
-use std::sync::Arc;
-use std::time;
-use std::time::Duration;
+use std::{sync::Arc, time, time::Duration};
 use tracing::{debug, error, info, trace, warn};
-use x509_cert::der::{Decode as _, Encode as _};
-use x509_cert::Certificate;
+use x509_cert::{
+    der::{Decode as _, Encode as _},
+    Certificate,
+};
 
 /// Options and arguments needed to attest a TEE
 #[derive(Args, Debug, Clone)]
@@ -63,6 +70,8 @@ impl TeeConnection {
     /// This will verify the attestation report and check that the enclave
     /// is running the expected code.
     pub fn new(args: &AttestationArgs) -> Self {
+        let _ = rustls::crypto::ring::default_provider().install_default();
+
         let tls_config = Arc::new(
             ClientConfig::builder()
                 .dangerous()
@@ -260,6 +269,8 @@ impl TeeConnection {
                     }
                 }
 
+                info!("Quote verified! Connection secure!");
+
                 Ok(rustls::client::danger::ServerCertVerified::assertion())
             }