diff --git a/boring/src/ssl/mod.rs b/boring/src/ssl/mod.rs
index 283594149..99a26fb1c 100644
--- a/boring/src/ssl/mod.rs
+++ b/boring/src/ssl/mod.rs
@@ -4470,36 +4470,12 @@ impl<S> SslStreamBuilder<S> {
     }
 }
 
-/// A credential.
-pub struct SslCredential(NonNull<ffi::SSL_CREDENTIAL>);
-
-unsafe impl ForeignType for SslCredential {
+foreign_type_and_impl_send_sync! {
     type CType = ffi::SSL_CREDENTIAL;
-    type Ref = SslCredentialRef;
-
-    #[inline]
-    unsafe fn from_ptr(ptr: *mut ffi::SSL_CREDENTIAL) -> Self {
-        Self(NonNull::new_unchecked(ptr))
-    }
-
-    #[inline]
-    fn as_ptr(&self) -> *mut ffi::SSL_CREDENTIAL {
-        self.0.as_ptr()
-    }
-}
+    fn drop = ffi::SSL_CREDENTIAL_free;
 
-impl Drop for SslCredential {
-    fn drop(&mut self) {
-        unsafe { ffi::SSL_CREDENTIAL_free(self.as_ptr()) }
-    }
-}
-
-impl Deref for SslCredential {
-    type Target = SslCredentialRef;
-
-    fn deref(&self) -> &SslCredentialRef {
-        unsafe { SslCredentialRef::from_ptr(self.as_ptr()) }
-    }
+    /// A credential.
+    pub struct SslCredential;
 }
 
 impl SslCredential {
@@ -4546,11 +4522,6 @@ impl SslCredential {
     }
 }
 
-/// Reference to an [`SslCredential`].
-///
-/// [`SslCredential`]: struct.SslCredential.html
-pub struct SslCredentialRef(Opaque);
-
 impl SslCredentialRef {
     /// Returns a reference to the extra data at the specified index.
     #[corresponds(SSL_CREDENTIAL_get_ex_data)]
@@ -4578,16 +4549,6 @@ impl SslCredentialRef {
         }
     }
 
-    // Unsafe because SSL contexts are not guaranteed to be unique, we call
-    // this only from SslCredentialBuilder.
-    #[corresponds(SSL_CREDENTIAL_set_ex_data)]
-    unsafe fn set_ex_data<T>(&mut self, index: Index<SslCredential, T>, data: T) {
-        unsafe {
-            let data = Box::into_raw(Box::new(data)) as *mut c_void;
-            ffi::SSL_CREDENTIAL_set_ex_data(self.as_ptr(), index.as_raw(), data);
-        }
-    }
-
     // Unsafe because SSL contexts are not guaranteed to be unique, we call
     // this only from SslCredentialBuilder.
     #[corresponds(SSL_CREDENTIAL_set_ex_data)]
@@ -4596,36 +4557,19 @@ impl SslCredentialRef {
             return Some(mem::replace(old, data));
         }
 
-        self.set_ex_data(index, data);
+        unsafe {
+            let data = Box::into_raw(Box::new(data)) as *mut c_void;
+            ffi::SSL_CREDENTIAL_set_ex_data(self.as_ptr(), index.as_raw(), data);
+        }
 
         None
     }
 }
 
-unsafe impl Send for SslCredentialRef {}
-unsafe impl Sync for SslCredentialRef {}
-
-unsafe impl ForeignTypeRef for SslCredentialRef {
-    type CType = ffi::SSL_CREDENTIAL;
-}
-
+/// A builder for [`SslCredential`]
 pub struct SslCredentialBuilder(SslCredential);
 
 impl SslCredentialBuilder {
-    /// Sets the extra data at the specified index.
-    ///
-    /// This can be used to provide data to callbacks registered with the context. Use the
-    /// `SslCredential::new_ex_index` method to create an `Index`.
-    ///
-    /// Note that if this method is called multiple times with the same index, any previous
-    /// value stored in the `SslCredentialBuilder` will be leaked.
-    #[corresponds(SSL_CREDENTIAL_set_ex_data)]
-    pub fn set_ex_data<T>(&mut self, index: Index<SslCredential, T>, data: T) {
-        unsafe {
-            self.as_mut().set_ex_data(index, data);
-        }
-    }
-
     /// Sets or overwrites the extra data at the specified index.
     ///
     /// This can be used to provide data to callbacks registered with the context. Use the
@@ -4634,7 +4578,7 @@ impl SslCredentialBuilder {
     /// Any previous value will be returned and replaced by the new one.
     #[corresponds(SSL_CREDENTIAL_set_ex_data)]
     pub fn replace_ex_data<T>(&mut self, index: Index<SslCredential, T>, data: T) -> Option<T> {
-        unsafe { self.as_mut().replace_ex_data(index, data) }
+        unsafe { self.0.replace_ex_data(index, data) }
     }
 
     // Sets the private key of the credential.
@@ -4658,12 +4602,10 @@ impl SslCredentialBuilder {
         M: PrivateKeyMethod,
     {
         unsafe {
-            let this = self.as_mut();
-
-            this.replace_ex_data(SslCredential::cached_ex_index::<M>(), method);
+            self.replace_ex_data(SslCredential::cached_ex_index::<M>(), method);
 
             cvt_0i(ffi::SSL_CREDENTIAL_set_private_key_method(
-                this.as_ptr(),
+                self.0.as_ptr(),
                 &ffi::SSL_PRIVATE_KEY_METHOD {
                     sign: Some(callbacks::raw_sign::<M>),
                     decrypt: Some(callbacks::raw_decrypt::<M>),
@@ -4692,22 +4634,16 @@ impl SslCredentialBuilder {
                 .transpose()?
                 .unwrap_or(ptr::null_mut());
 
-            let ret = cvt_0i(ffi::SSL_CREDENTIAL_set1_spki(self.0.as_ptr(), spki));
+            let ret = cvt_0i(ffi::SSL_CREDENTIAL_set1_spki(self.0.as_ptr(), spki)).map(|_| ());
 
-            if spki.is_null() {
+            if !spki.is_null() {
                 ffi::CRYPTO_BUFFER_free(spki);
             }
 
-            ret?;
-
-            Ok(())
+            ret
         }
     }
 
-    unsafe fn as_mut(&mut self) -> &mut SslCredentialRef {
-        SslCredentialRef::from_ptr_mut(self.0.as_ptr())
-    }
-
     pub fn build(self) -> SslCredential {
         self.0
     }