diff --git a/src/go.mod b/src/go.mod
index 889f35c83..a96ad7181 100644
--- a/src/go.mod
+++ b/src/go.mod
@@ -11,7 +11,7 @@ require (
 	code.cloudfoundry.org/go-loggregator/v10 v10.2.0
 	code.cloudfoundry.org/go-metric-registry v0.0.0-20250512163413-c16153523050
 	code.cloudfoundry.org/go-pubsub v0.0.0-20250325104231-893079a7322c
-	code.cloudfoundry.org/tlsconfig v0.31.0
+	code.cloudfoundry.org/tlsconfig v0.32.0
 	github.com/cloudfoundry/noaa/v2 v2.5.0
 	github.com/cloudfoundry/sonde-go v0.0.0-20250505082611-517434ece96d
 	github.com/gorilla/handlers v1.5.2
@@ -44,7 +44,7 @@ require (
 	github.com/prometheus/common v0.65.0 // indirect
 	github.com/prometheus/procfs v0.16.1 // indirect
 	github.com/square/certstrap v1.3.0 // indirect
-	go.step.sm/crypto v0.67.0 // indirect
+	go.step.sm/crypto v0.68.0 // indirect
 	go.uber.org/automaxprocs v1.6.0 // indirect
 	golang.org/x/crypto v0.40.0 // indirect
 	golang.org/x/sys v0.34.0 // indirect
diff --git a/src/go.sum b/src/go.sum
index a0ba50824..b0345da6f 100644
--- a/src/go.sum
+++ b/src/go.sum
@@ -10,8 +10,8 @@ code.cloudfoundry.org/go-metric-registry v0.0.0-20250512163413-c16153523050 h1:3
 code.cloudfoundry.org/go-metric-registry v0.0.0-20250512163413-c16153523050/go.mod h1:g5bJie+5m0U1WzcqX6AV8Wd3wrJp8yz3vYh9/9HdD10=
 code.cloudfoundry.org/go-pubsub v0.0.0-20250325104231-893079a7322c h1:UO8XPsYvi92lyFqiVj478qqVXoX8Sn+UtiGcBIpWa+8=
 code.cloudfoundry.org/go-pubsub v0.0.0-20250325104231-893079a7322c/go.mod h1:QxOFtPAFdKuZ2+ZsNW9GcMfxc8wAucVJ7dCuai+H6+s=
-code.cloudfoundry.org/tlsconfig v0.31.0 h1:rhpKoyBhxc3dHYKM9tF1DV4SMzgZRAlgtCMvu0fHMvc=
-code.cloudfoundry.org/tlsconfig v0.31.0/go.mod h1:gCPA3cUJEjXzzRAN4EAlcxob11eAjAtzXGgTZa445r4=
+code.cloudfoundry.org/tlsconfig v0.32.0 h1:QL1F0o0V0Q64qn9/RsLu96R9M6yqCuk19+35l3d6+Rg=
+code.cloudfoundry.org/tlsconfig v0.32.0/go.mod h1:0InW25+0caQQIX+rdnhFqs9Jyt4IG0/5k4l0uISvTbA=
 filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA=
 filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4=
 github.com/apoydence/eachers v0.0.0-20181020210610-23942921fe77 h1:afT88tB6u9JCKQZVAAaa9ICz/uGn5Uw9ekn6P22mYKM=
@@ -134,8 +134,8 @@ go.opentelemetry.io/otel/sdk/metric v1.36.0 h1:r0ntwwGosWGaa0CrSt8cuNuTcccMXERFw
 go.opentelemetry.io/otel/sdk/metric v1.36.0/go.mod h1:qTNOhFDfKRwX0yXOqJYegL5WRaW376QbB7P4Pb0qva4=
 go.opentelemetry.io/otel/trace v1.36.0 h1:ahxWNuqZjpdiFAyrIoQ4GIiAIhxAunQR6MUoKrsNd4w=
 go.opentelemetry.io/otel/trace v1.36.0/go.mod h1:gQ+OnDZzrybY4k4seLzPAWNwVBBVlF2szhehOBB/tGA=
-go.step.sm/crypto v0.67.0 h1:1km9LmxMKG/p+mKa1R4luPN04vlJYnRLlLQrWv7egGU=
-go.step.sm/crypto v0.67.0/go.mod h1:+AoDpB0mZxbW/PmOXuwkPSpXRgaUaoIK+/Wx/HGgtAU=
+go.step.sm/crypto v0.68.0 h1:PqiEolMb+MGJkamRzmbiEp6lWqbfGESCS5yehwNJ1Tk=
+go.step.sm/crypto v0.68.0/go.mod h1:YzEeTFSsXOJg7BV4uckv3lW5/OS+3E20clU136od/sU=
 go.uber.org/automaxprocs v1.6.0 h1:O3y2/QNTOdbF+e/dpXNNW7Rx2hZ4sTIPyybbxyNqTUs=
 go.uber.org/automaxprocs v1.6.0/go.mod h1:ifeIMSnPZuznNm6jmdzmU3/bfk01Fe2fotchwEFJ8r8=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
diff --git a/src/vendor/go.step.sm/crypto/internal/bcrypt_pbkdf/bcrypt_pbkdf.go b/src/vendor/go.step.sm/crypto/internal/bcrypt_pbkdf/bcrypt_pbkdf.go
index 069bafda1..e5d37e442 100644
--- a/src/vendor/go.step.sm/crypto/internal/bcrypt_pbkdf/bcrypt_pbkdf.go
+++ b/src/vendor/go.step.sm/crypto/internal/bcrypt_pbkdf/bcrypt_pbkdf.go
@@ -2,11 +2,9 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
-// Package bcrypt_pbkdf implements password-based key derivation function based
+// Package bcryptpbkdf implements password-based key derivation function based
 // on bcrypt compatible with bcrypt_pbkdf(3) from OpenBSD.
-//
-//nolint:revive,staticcheck // ignore underscore in package
-package bcrypt_pbkdf
+package bcryptpbkdf
 
 import (
 	"crypto/sha512"
diff --git a/src/vendor/go.step.sm/crypto/internal/utils/asn1.go b/src/vendor/go.step.sm/crypto/internal/utils/asn1.go
deleted file mode 100644
index 798dbee8c..000000000
--- a/src/vendor/go.step.sm/crypto/internal/utils/asn1.go
+++ /dev/null
@@ -1,33 +0,0 @@
-package utils
-
-// IsPrintableString reports whether the given s is a valid ASN.1 PrintableString.
-// If asterisk is allowAsterisk then '*' is also allowed, reflecting existing
-// practice. If ampersand is allowAmpersand then '&' is allowed as well.
-func IsPrintableString(s string, asterisk, ampersand bool) bool {
-	for _, b := range s {
-		valid := 'a' <= b && b <= 'z' ||
-			'A' <= b && b <= 'Z' ||
-			'0' <= b && b <= '9' ||
-			'\'' <= b && b <= ')' ||
-			'+' <= b && b <= '/' ||
-			b == ' ' ||
-			b == ':' ||
-			b == '=' ||
-			b == '?' ||
-			// This is technically not allowed in a PrintableString.
-			// However, x509 certificates with wildcard strings don't
-			// always use the correct string type so we permit it.
-			(asterisk && b == '*') ||
-			// This is not technically allowed either. However, not
-			// only is it relatively common, but there are also a
-			// handful of CA certificates that contain it. At least
-			// one of which will not expire until 2027.
-			(ampersand && b == '&')
-
-		if !valid {
-			return false
-		}
-	}
-
-	return true
-}
diff --git a/src/vendor/go.step.sm/crypto/internal/utils/convert.go b/src/vendor/go.step.sm/crypto/internal/utils/convert.go
deleted file mode 100644
index 44cf50b5a..000000000
--- a/src/vendor/go.step.sm/crypto/internal/utils/convert.go
+++ /dev/null
@@ -1,76 +0,0 @@
-package utils
-
-import (
-	"fmt"
-	"math"
-)
-
-type integer interface {
-	~int | ~int64
-}
-
-// SafeUint64 converts an integer value to [uint64]. It returns an error if the value is out of range.
-func SafeUint64[T integer](x T) (uint64, error) {
-	if x < 0 {
-		return 0, fmt.Errorf("value %d out of range for uint64", x)
-	}
-
-	return uint64(x), nil
-}
-
-// MustUint64 converts an integer value to [uint64]. It panics if the value is out of range.
-func MustUint64[T integer](x T) uint64 {
-	u64, err := SafeUint64(x)
-	if err != nil {
-		panic(err)
-	}
-
-	return u64
-}
-
-// SafeUint32 converts an integer value to [uint32]. It returns an error if the value is out of range.
-func SafeUint32[T integer](x T) (uint32, error) {
-	if x < 0 || int64(x) > math.MaxUint32 {
-		return 0, fmt.Errorf("value %d out of range for uint32", x)
-	}
-
-	return uint32(x), nil
-}
-
-// MustUint32 converts an integer value to [uint32]. It panics if the value is out of range.
-func MustUint32[T integer](x T) uint32 {
-	u32, err := SafeUint32(x)
-	if err != nil {
-		panic(err)
-	}
-
-	return u32
-}
-
-// MustUint16 converts an integer value to [uint16]. It panics if the value is out of range.
-func MustUint16(x int) uint16 {
-	if x < 0 || x > math.MaxUint16 {
-		panic(fmt.Errorf("value %d out of range for uint16", x))
-	}
-
-	return uint16(x)
-}
-
-// SafeUint8 converts an integer value to [uint8]. It returns an error if the value is out of range.
-func SafeUint8(x int) (uint8, error) {
-	if x < 0 || x > math.MaxUint8 {
-		return 0, fmt.Errorf("value %d out of range for uint8", x)
-	}
-
-	return uint8(x), nil
-}
-
-// MustUint8 converts an integer value to [uint8]. It panics if the value is out of range.
-func MustUint8(x int) uint8 {
-	u8, err := SafeUint8(x)
-	if err != nil {
-		panic(err)
-	}
-
-	return u8
-}
diff --git a/src/vendor/go.step.sm/crypto/internal/utils/io.go b/src/vendor/go.step.sm/crypto/internal/utils/file/io.go
similarity index 99%
rename from src/vendor/go.step.sm/crypto/internal/utils/io.go
rename to src/vendor/go.step.sm/crypto/internal/utils/file/io.go
index ccccf5f94..cf44af52d 100644
--- a/src/vendor/go.step.sm/crypto/internal/utils/io.go
+++ b/src/vendor/go.step.sm/crypto/internal/utils/file/io.go
@@ -1,4 +1,4 @@
-package utils
+package fileutils
 
 import (
 	"bytes"
diff --git a/src/vendor/go.step.sm/crypto/pemutil/pem.go b/src/vendor/go.step.sm/crypto/pemutil/pem.go
index b2301dabc..b7b41a25e 100644
--- a/src/vendor/go.step.sm/crypto/pemutil/pem.go
+++ b/src/vendor/go.step.sm/crypto/pemutil/pem.go
@@ -22,7 +22,7 @@ import (
 	"github.com/pkg/errors"
 	"golang.org/x/crypto/ssh"
 
-	"go.step.sm/crypto/internal/utils"
+	fileutils "go.step.sm/crypto/internal/utils/file"
 	"go.step.sm/crypto/keyutil"
 	"go.step.sm/crypto/x25519"
 )
@@ -46,7 +46,7 @@ var PromptPassword PasswordPrompter
 // WriteFile is a method used to write a file, by default it uses a wrapper over
 // ioutil.WriteFile, but it can be set to a custom method, that for example can
 // check if a file exists and prompts the user if it should be overwritten.
-var WriteFile FileWriter = utils.WriteFile
+var WriteFile FileWriter = fileutils.WriteFile
 
 // PEMBlockHeader is the expected header for any PEM formatted block.
 var PEMBlockHeader = []byte("-----BEGIN ")
@@ -155,7 +155,7 @@ func WithPassword(pass []byte) Options {
 // WithPasswordFile is a method that adds the password in a file to the context.
 func WithPasswordFile(filename string) Options {
 	return func(ctx *context) error {
-		b, err := utils.ReadPasswordFromFile(filename)
+		b, err := fileutils.ReadPasswordFromFile(filename)
 		if err != nil {
 			return err
 		}
@@ -416,7 +416,7 @@ func ReadCertificate(filename string, opts ...Options) (*x509.Certificate, error
 // - supports PEM and DER certificate formats
 //   - If a DER-formatted file is given only one certificate will be returned.
 func ReadCertificateBundle(filename string) ([]*x509.Certificate, error) {
-	b, err := utils.ReadFile(filename)
+	b, err := fileutils.ReadFile(filename)
 	if err != nil {
 		return nil, err
 	}
@@ -434,7 +434,7 @@ func ReadCertificateBundle(filename string) ([]*x509.Certificate, error) {
 // - supports PEM and DER Certificate formats.
 // - supports reading from STDIN with filename `-`.
 func ReadCertificateRequest(filename string) (*x509.CertificateRequest, error) {
-	b, err := utils.ReadFile(filename)
+	b, err := fileutils.ReadFile(filename)
 	if err != nil {
 		return nil, err
 	}
@@ -537,7 +537,7 @@ func ParseKey(b []byte, opts ...Options) (interface{}, error) {
 // keys are PKCS#1, PKCS#8, RFC5915 for EC, and base64-encoded DER for
 // certificates and public keys.
 func Read(filename string, opts ...Options) (interface{}, error) {
-	b, err := utils.ReadFile(filename)
+	b, err := fileutils.ReadFile(filename)
 	if err != nil {
 		return nil, err
 	}
diff --git a/src/vendor/modules.txt b/src/vendor/modules.txt
index 538da64e2..fec24f54c 100644
--- a/src/vendor/modules.txt
+++ b/src/vendor/modules.txt
@@ -19,7 +19,7 @@ code.cloudfoundry.org/go-metric-registry
 code.cloudfoundry.org/go-pubsub
 code.cloudfoundry.org/go-pubsub/internal/node
 code.cloudfoundry.org/go-pubsub/pubsub-gen/setters
-# code.cloudfoundry.org/tlsconfig v0.31.0
+# code.cloudfoundry.org/tlsconfig v0.32.0
 ## explicit; go 1.23.0
 code.cloudfoundry.org/tlsconfig
 code.cloudfoundry.org/tlsconfig/certtest
@@ -177,12 +177,12 @@ github.com/prometheus/procfs/internal/util
 # github.com/square/certstrap v1.3.0
 ## explicit; go 1.18
 github.com/square/certstrap/pkix
-# go.step.sm/crypto v0.67.0
+# go.step.sm/crypto v0.68.0
 ## explicit; go 1.23.0
 go.step.sm/crypto/fingerprint
 go.step.sm/crypto/internal/bcrypt_pbkdf
 go.step.sm/crypto/internal/emoji
-go.step.sm/crypto/internal/utils
+go.step.sm/crypto/internal/utils/file
 go.step.sm/crypto/internal/utils/utfbom
 go.step.sm/crypto/keyutil
 go.step.sm/crypto/pemutil