diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index df9a7643b..9b5d8e738 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -76,7 +76,7 @@ jobs:
     container: ${{ matrix.container }}
     strategy:
       matrix:
-        container: ['fedora:36', 'fedora:37']
+        container: ['fedora:36', 'fedora:37', 'fedora:38']
     env:
       MAKEFLAGS: -j3
     steps:
@@ -105,14 +105,14 @@ jobs:
     container: ${{ matrix.container }}
     strategy:
       matrix:
-        container: ['ubuntu:20.04', 'ubuntu:22.04', 'ubuntu:22.10']
+        container: ['ubuntu:20.04', 'ubuntu:22.04', 'ubuntu:22.10', 'ubuntu:23.04']
     env:
       DEBIAN_FRONTEND: noninteractive
       DEBFULLNAME: github-actions
       DEBEMAIL: github-actions@github.com
     steps:
     - name: Install dependencies
-      run: apt update -qq && apt install --no-install-recommends -y git lsb-release fakeroot build-essential devscripts cdbs cmake xxd xsdcxx libxml-security-c-dev zlib1g-dev doxygen swig openjdk-8-jdk-headless libpython3-dev python3-distutils libboost-test-dev lintian
+      run: apt update -qq && apt install --no-install-recommends -y git lsb-release fakeroot build-essential devscripts cdbs debhelper cmake xxd xsdcxx libxml-security-c-dev zlib1g-dev doxygen swig openjdk-8-jdk-headless libpython3-dev python3-distutils libboost-test-dev lintian
     - name: Checkout
       uses: actions/checkout@v3
       with:
diff --git a/cmake b/cmake
index 7b34cc036..01ec22ddc 160000
--- a/cmake
+++ b/cmake
@@ -1 +1 @@
-Subproject commit 7b34cc036c350e2ac13e4f3f529361003e36394a
+Subproject commit 01ec22ddceaf93824737bed3158bd4a560c4af9d
diff --git a/src/crypto/X509CertStore.cpp b/src/crypto/X509CertStore.cpp
index 9741325a9..f6c029c94 100644
--- a/src/crypto/X509CertStore.cpp
+++ b/src/crypto/X509CertStore.cpp
@@ -87,15 +87,14 @@ X509CertStore::X509CertStore()
     if(!path.empty())
         OSSL_PROVIDER_set_default_search_path(nullptr, path.c_str());
 #endif
-    for(const string &prov: {"legacy", "default"})
+    for(const auto *prov: {"legacy", "default"})
     {
-        if(OSSL_PROVIDER *p = OSSL_PROVIDER_load(nullptr, prov.c_str()))
+        if(OSSL_PROVIDER *p = OSSL_PROVIDER_load(nullptr, prov))
             d->provs.push_back(p);
         else
-            WARN("Failed to load OpenSSL '%s' provider!", prov.c_str());
+            WARN("Failed to load OpenSSL '%s' provider!", prov);
     }
 #endif
-    OPENSSL_init_ssl(OPENSSL_INIT_SSL_DEFAULT, nullptr);
     d->update();
 }
 
@@ -108,7 +107,6 @@ X509CertStore::~X509CertStore()
     for(OSSL_PROVIDER *p: d->provs)
         OSSL_PROVIDER_unload(p);
 #endif
-    OPENSSL_cleanup();
 }
 
 void X509CertStore::activate(const X509Cert &cert) const
@@ -153,7 +151,7 @@ X509Cert X509CertStore::findIssuer(const X509Cert &cert, const Type &type) const
     return X509Cert();
 }
 
-X509Cert X509CertStore::issuerFromAIA(const X509Cert &cert) const
+X509Cert X509CertStore::issuerFromAIA(const X509Cert &cert)
 {
     SCOPE(AUTHORITY_INFO_ACCESS, aia, X509_get_ext_d2i(cert.handle(), NID_info_access, nullptr, nullptr));
     if(!aia)
@@ -161,8 +159,8 @@ X509Cert X509CertStore::issuerFromAIA(const X509Cert &cert) const
     string url;
     for(int i = 0; i < sk_ACCESS_DESCRIPTION_num(aia.get()); ++i)
     {
-        ACCESS_DESCRIPTION *ad = sk_ACCESS_DESCRIPTION_value(aia.get(), i);
-        if(ad->location->type == GEN_URI &&
+        if(ACCESS_DESCRIPTION *ad = sk_ACCESS_DESCRIPTION_value(aia.get(), i);
+            ad->location->type == GEN_URI &&
             OBJ_obj2nid(ad->method) == NID_ad_ca_issuers)
             url.assign((const char*)ad->location->d.uniformResourceIdentifier->data, ad->location->d.uniformResourceIdentifier->length);
     }
@@ -224,7 +222,7 @@ int X509CertStore::validate(int ok, X509_STORE_CTX *ctx, const Type &type)
                 return false;
             }))
             continue;
-        X509_STORE_CTX_set_ex_data(ctx, 0, const_cast<TSL::Validity*>(&s.validity[0]));
+        X509_STORE_CTX_set_ex_data(ctx, 0, const_cast<TSL::Validity*>(&s.validity.front()));
         X509_VERIFY_PARAM *param = X509_STORE_CTX_get0_param(ctx);
         if(!(X509_VERIFY_PARAM_get_flags(param) & X509_V_FLAG_USE_CHECK_TIME) || s.validity.empty())
             return 1;
diff --git a/src/crypto/X509CertStore.h b/src/crypto/X509CertStore.h
index 3522d693f..8221f5093 100644
--- a/src/crypto/X509CertStore.h
+++ b/src/crypto/X509CertStore.h
@@ -46,7 +46,7 @@ namespace digidoc
         void activate(const X509Cert &cert) const;
         std::vector<X509Cert> certs(const Type &type) const;
         X509Cert findIssuer(const X509Cert &cert, const Type &type) const;
-        X509Cert issuerFromAIA(const X509Cert &cert) const;
+        static X509Cert issuerFromAIA(const X509Cert &cert);
         static X509_STORE* createStore(const Type &type, const time_t *t = nullptr);
         bool verify(const X509Cert &cert, bool qscd) const;