diff --git a/cert/cert.go b/cert/cert.go
index 5eb4326..2ec7825 100644
--- a/cert/cert.go
+++ b/cert/cert.go
@@ -337,10 +337,11 @@ func (nc *NebulaCertificate) VerifyPrivateKey(key []byte) error {
 		return nil
 	}
 
-	var dst, key32 [32]byte
-	copy(key32[:], key)
-	curve25519.ScalarBaseMult(&dst, &key32)
-	if !bytes.Equal(dst[:], nc.Details.PublicKey) {
+	pub, err := curve25519.X25519(key, curve25519.Basepoint)
+	if err != nil {
+		return err
+	}
+	if !bytes.Equal(pub, nc.Details.PublicKey) {
 		return fmt.Errorf("public key in cert and private key supplied don't match")
 	}
 
diff --git a/cert/cert_test.go b/cert/cert_test.go
index e5bdddc..4fe13cc 100644
--- a/cert/cert_test.go
+++ b/cert/cert_test.go
@@ -860,10 +860,15 @@ func newTestCert(ca *NebulaCertificate, key []byte, before, after time.Time, ips
 }
 
 func x25519Keypair() ([]byte, []byte) {
-	var pubkey, privkey [32]byte
-	if _, err := io.ReadFull(rand.Reader, privkey[:]); err != nil {
+	privkey := make([]byte, 32)
+	if _, err := io.ReadFull(rand.Reader, privkey); err != nil {
 		panic(err)
 	}
-	curve25519.ScalarBaseMult(&pubkey, &privkey)
-	return pubkey[:], privkey[:]
+
+	pubkey, err := curve25519.X25519(privkey, curve25519.Basepoint)
+	if err != nil {
+		panic(err)
+	}
+
+	return pubkey, privkey
 }
diff --git a/cmd/nebula-cert/sign.go b/cmd/nebula-cert/sign.go
index 86de0b1..1f3ddea 100644
--- a/cmd/nebula-cert/sign.go
+++ b/cmd/nebula-cert/sign.go
@@ -226,12 +226,17 @@ func signCert(args []string, out io.Writer, errOut io.Writer) error {
 }
 
 func x25519Keypair() ([]byte, []byte) {
-	var pubkey, privkey [32]byte
-	if _, err := io.ReadFull(rand.Reader, privkey[:]); err != nil {
+	privkey := make([]byte, 32)
+	if _, err := io.ReadFull(rand.Reader, privkey); err != nil {
 		panic(err)
 	}
-	curve25519.ScalarBaseMult(&pubkey, &privkey)
-	return pubkey[:], privkey[:]
+
+	pubkey, err := curve25519.X25519(privkey, curve25519.Basepoint)
+	if err != nil {
+		panic(err)
+	}
+
+	return pubkey, privkey
 }
 
 func signSummary() string {
diff --git a/e2e/helpers_test.go b/e2e/helpers_test.go
index 1c31d67..224784e 100644
--- a/e2e/helpers_test.go
+++ b/e2e/helpers_test.go
@@ -186,12 +186,17 @@ func newTestCert(ca *cert.NebulaCertificate, key []byte, name string, before, af
 }
 
 func x25519Keypair() ([]byte, []byte) {
-	var pubkey, privkey [32]byte
-	if _, err := io.ReadFull(rand.Reader, privkey[:]); err != nil {
+	privkey := make([]byte, 32)
+	if _, err := io.ReadFull(rand.Reader, privkey); err != nil {
 		panic(err)
 	}
-	curve25519.ScalarBaseMult(&pubkey, &privkey)
-	return pubkey[:], privkey[:]
+
+	pubkey, err := curve25519.X25519(privkey, curve25519.Basepoint)
+	if err != nil {
+		panic(err)
+	}
+
+	return pubkey, privkey
 }
 
 func ip2int(ip []byte) uint32 {