diff --git a/src/rust/src/asn1.rs b/src/rust/src/asn1.rs
index 394f19218083..62cbd069bfd9 100644
--- a/src/rust/src/asn1.rs
+++ b/src/rust/src/asn1.rs
@@ -7,6 +7,7 @@ use cryptography_x509::certificate::Certificate;
 use cryptography_x509::common::{DssSignature, SubjectPublicKeyInfo, Time};
 use cryptography_x509::name::Name;
 use pyo3::prelude::PyAnyMethods;
+use pyo3::prelude::PyModuleMethods;
 use pyo3::types::IntoPyDict;
 use pyo3::ToPyObject;
 
@@ -97,11 +98,11 @@ pub(crate) fn encode_der_data<'p>(
     pem_tag: String,
     data: Vec<u8>,
     encoding: &'p pyo3::PyAny,
-) -> CryptographyResult<&'p pyo3::types::PyBytes> {
-    if encoding.is(types::ENCODING_DER.get(py)?) {
-        Ok(pyo3::types::PyBytes::new(py, &data))
-    } else if encoding.is(types::ENCODING_PEM.get(py)?) {
-        Ok(pyo3::types::PyBytes::new(
+) -> CryptographyResult<pyo3::Bound<'p, pyo3::types::PyBytes>> {
+    if encoding.is(&types::ENCODING_DER.get_bound(py)?) {
+        Ok(pyo3::types::PyBytes::new_bound(py, &data))
+    } else if encoding.is(&types::ENCODING_PEM.get_bound(py)?) {
+        Ok(pyo3::types::PyBytes::new_bound(
             py,
             &pem::encode_config(
                 &pem::Pem::new(pem_tag, data),
@@ -118,17 +119,17 @@ pub(crate) fn encode_der_data<'p>(
 }
 
 #[pyo3::prelude::pyfunction]
-fn encode_dss_signature(
-    py: pyo3::Python<'_>,
+fn encode_dss_signature<'p>(
+    py: pyo3::Python<'p>,
     r: pyo3::Bound<'_, pyo3::types::PyLong>,
     s: pyo3::Bound<'_, pyo3::types::PyLong>,
-) -> CryptographyResult<pyo3::PyObject> {
+) -> CryptographyResult<pyo3::Bound<'p, pyo3::types::PyBytes>> {
     let sig = DssSignature {
         r: asn1::BigUint::new(py_uint_to_big_endian_bytes(py, r)?).unwrap(),
         s: asn1::BigUint::new(py_uint_to_big_endian_bytes(py, s)?).unwrap(),
     };
     let result = asn1::write_single(&sig)?;
-    Ok(pyo3::types::PyBytes::new(py, &result).to_object(py))
+    Ok(pyo3::types::PyBytes::new_bound(py, &result))
 }
 
 #[pyo3::prelude::pyclass(frozen, module = "cryptography.hazmat.bindings._rust.asn1")]
@@ -173,14 +174,19 @@ fn test_parse_certificate(data: &[u8]) -> Result<TestCertificate, CryptographyEr
     })
 }
 
-pub(crate) fn create_submodule(py: pyo3::Python<'_>) -> pyo3::PyResult<&pyo3::prelude::PyModule> {
-    let submod = pyo3::prelude::PyModule::new(py, "asn1")?;
-    submod.add_function(pyo3::wrap_pyfunction!(parse_spki_for_data, submod)?)?;
+pub(crate) fn create_submodule(
+    py: pyo3::Python<'_>,
+) -> pyo3::PyResult<pyo3::Bound<'_, pyo3::prelude::PyModule>> {
+    let submod = pyo3::prelude::PyModule::new_bound(py, "asn1")?;
+    submod.add_function(pyo3::wrap_pyfunction_bound!(parse_spki_for_data, &submod)?)?;
 
-    submod.add_function(pyo3::wrap_pyfunction!(decode_dss_signature, submod)?)?;
-    submod.add_function(pyo3::wrap_pyfunction!(encode_dss_signature, submod)?)?;
+    submod.add_function(pyo3::wrap_pyfunction_bound!(decode_dss_signature, &submod)?)?;
+    submod.add_function(pyo3::wrap_pyfunction_bound!(encode_dss_signature, &submod)?)?;
 
-    submod.add_function(pyo3::wrap_pyfunction!(test_parse_certificate, submod)?)?;
+    submod.add_function(pyo3::wrap_pyfunction_bound!(
+        test_parse_certificate,
+        &submod
+    )?)?;
 
     Ok(submod)
 }
diff --git a/src/rust/src/backend/dh.rs b/src/rust/src/backend/dh.rs
index b0527fca16b5..defe32333734 100644
--- a/src/rust/src/backend/dh.rs
+++ b/src/rust/src/backend/dh.rs
@@ -343,7 +343,7 @@ impl DHParameters {
         py: pyo3::Python<'p>,
         encoding: &'p pyo3::PyAny,
         format: &pyo3::PyAny,
-    ) -> CryptographyResult<&'p pyo3::types::PyBytes> {
+    ) -> CryptographyResult<pyo3::Bound<'p, pyo3::types::PyBytes>> {
         if !format.is(types::PARAMETER_FORMAT_PKCS3.get(py)?) {
             return Err(CryptographyError::from(
                 pyo3::exceptions::PyValueError::new_err("Only PKCS3 serialization is supported"),
diff --git a/src/rust/src/lib.rs b/src/rust/src/lib.rs
index 8ea8709c6e11..b6fc12577753 100644
--- a/src/rust/src/lib.rs
+++ b/src/rust/src/lib.rs
@@ -96,7 +96,7 @@ fn _rust(py: pyo3::Python<'_>, m: &pyo3::types::PyModule) -> pyo3::PyResult<()>
     m.add_function(pyo3::wrap_pyfunction!(padding::check_ansix923_padding, m)?)?;
     m.add_class::<oid::ObjectIdentifier>()?;
 
-    m.add_submodule(asn1::create_submodule(py)?)?;
+    m.add_submodule(asn1::create_submodule(py)?.into_gil_ref())?;
     m.add_submodule(pkcs7::create_submodule(py)?)?;
     m.add_submodule(pkcs12::create_submodule(py)?.into_gil_ref())?;
     m.add_submodule(exceptions::create_submodule(py)?)?;
diff --git a/src/rust/src/pkcs7.rs b/src/rust/src/pkcs7.rs
index 9732b6b93b9b..b33d054b4ef8 100644
--- a/src/rust/src/pkcs7.rs
+++ b/src/rust/src/pkcs7.rs
@@ -44,7 +44,7 @@ fn serialize_certificates<'p>(
     py: pyo3::Python<'p>,
     py_certs: Vec<pyo3::PyRef<'p, x509::certificate::Certificate>>,
     encoding: &'p pyo3::PyAny,
-) -> CryptographyResult<&'p pyo3::types::PyBytes> {
+) -> CryptographyResult<pyo3::Bound<'p, pyo3::types::PyBytes>> {
     if py_certs.is_empty() {
         return Err(pyo3::exceptions::PyTypeError::new_err(
             "certs must be a list of certs with length >= 1",
@@ -84,7 +84,7 @@ fn sign_and_serialize<'p>(
     builder: &'p pyo3::PyAny,
     encoding: &'p pyo3::PyAny,
     options: &'p pyo3::types::PyList,
-) -> CryptographyResult<&'p pyo3::types::PyBytes> {
+) -> CryptographyResult<pyo3::Bound<'p, pyo3::types::PyBytes>> {
     let raw_data: CffiBuf<'p> = builder.getattr(pyo3::intern!(py, "_data"))?.extract()?;
     let text_mode = options.contains(types::PKCS7_TEXT.get(py)?)?;
     let (data_with_header, data_without_header) =
diff --git a/src/rust/src/x509/crl.rs b/src/rust/src/x509/crl.rs
index 479a1769ed60..529e499fcb72 100644
--- a/src/rust/src/x509/crl.rs
+++ b/src/rust/src/x509/crl.rs
@@ -235,7 +235,7 @@ impl CertificateRevocationList {
         &self,
         py: pyo3::Python<'p>,
         encoding: &'p pyo3::PyAny,
-    ) -> CryptographyResult<&'p pyo3::types::PyBytes> {
+    ) -> CryptographyResult<pyo3::Bound<'p, pyo3::types::PyBytes>> {
         let result = asn1::write_single(&self.owned.borrow_dependent())?;
 
         encode_der_data(py, "X509 CRL".to_string(), result, encoding)
diff --git a/src/rust/src/x509/csr.rs b/src/rust/src/x509/csr.rs
index 4fb3a301ed47..999276fa3e62 100644
--- a/src/rust/src/x509/csr.rs
+++ b/src/rust/src/x509/csr.rs
@@ -118,7 +118,7 @@ impl CertificateSigningRequest {
         &self,
         py: pyo3::Python<'p>,
         encoding: &'p pyo3::PyAny,
-    ) -> CryptographyResult<&'p pyo3::types::PyBytes> {
+    ) -> CryptographyResult<pyo3::Bound<'p, pyo3::types::PyBytes>> {
         let result = asn1::write_single(self.raw.borrow_dependent())?;
 
         encode_der_data(py, "CERTIFICATE REQUEST".to_string(), result, encoding)