diff --git a/browser/base/content/browser.js b/browser/base/content/browser.js
index 45ede7ac4eaa..8e07727647e2 100644
--- a/browser/base/content/browser.js
+++ b/browser/base/content/browser.js
@@ -3528,8 +3528,7 @@ function getDetailedCertErrorInfo(location, securityInfo) {
 // TODO: can we pull getDERString and getPEMString in from pippki.js instead of
 // duplicating them here?
 function getDERString(cert) {
-  var length = {};
-  var derArray = cert.getRawDER(length);
+  var derArray = cert.getRawDER();
   var derString = "";
   for (var i = 0; i < derArray.length; i++) {
     derString += String.fromCharCode(derArray[i]);
diff --git a/browser/base/content/test/about/head.js b/browser/base/content/test/about/head.js
index 99843f39ab60..452950998813 100644
--- a/browser/base/content/test/about/head.js
+++ b/browser/base/content/test/about/head.js
@@ -22,8 +22,7 @@ function getCertChain(securityInfoAsString) {
 }
 
 function getDERString(cert) {
-  var length = {};
-  var derArray = cert.getRawDER(length);
+  var derArray = cert.getRawDER();
   var derString = "";
   for (var i = 0; i < derArray.length; i++) {
     derString += String.fromCharCode(derArray[i]);
diff --git a/netwerk/protocol/http/nsHttpNTLMAuth.cpp b/netwerk/protocol/http/nsHttpNTLMAuth.cpp
index 8496d8da24da..219ec36f5a5c 100644
--- a/netwerk/protocol/http/nsHttpNTLMAuth.cpp
+++ b/netwerk/protocol/http/nsHttpNTLMAuth.cpp
@@ -28,6 +28,7 @@
 #include "mozilla/Attributes.h"
 #include "mozilla/Base64.h"
 #include "mozilla/CheckedInt.h"
+#include "mozilla/Maybe.h"
 #include "mozilla/Tokenizer.h"
 #include "mozilla/UniquePtr.h"
 #include "mozilla/Unused.h"
@@ -283,6 +284,7 @@ nsHttpNTLMAuth::GenerateCredentials(nsIHttpAuthenticableChannel* authChannel,
 
   void *inBuf, *outBuf;
   uint32_t inBufLen, outBufLen;
+  Maybe<nsTArray<uint8_t>> certArray;
 
   // initial challenge
   if (PL_strcasecmp(challenge, "NTLM") == 0) {
@@ -331,15 +333,14 @@ nsHttpNTLMAuth::GenerateCredentials(nsIHttpAuthenticableChannel* authChannel,
       rv = secInfo->GetServerCert(getter_AddRefs(cert));
       if (NS_FAILED(rv)) return rv;
 
-      uint32_t length;
-      uint8_t* certArray;
-      rv = cert->GetRawDER(&length, &certArray);
+      certArray.emplace();
+      rv = cert->GetRawDER(*certArray);
       if (NS_FAILED(rv)) return rv;
 
       // If there is a server certificate, we pass it along the
       // first time we call GetNextToken().
-      inBufLen = length;
-      inBuf = certArray;
+      inBufLen = certArray->Length();
+      inBuf = certArray->Elements();
     } else {
       // If there is no server certificate, we don't pass anything.
       inBufLen = 0;
@@ -387,7 +388,10 @@ nsHttpNTLMAuth::GenerateCredentials(nsIHttpAuthenticableChannel* authChannel,
     free(outBuf);
   }
 
-  if (inBuf) free(inBuf);
+  // inBuf needs to be freed if it's not pointing into certArray
+  if (inBuf && !certArray) {
+    free(inBuf);
+  }
 
   return rv;
 }
diff --git a/security/manager/pki/resources/content/pippki.js b/security/manager/pki/resources/content/pippki.js
index 9b4574fbe94d..98d52aebee18 100644
--- a/security/manager/pki/resources/content/pippki.js
+++ b/security/manager/pki/resources/content/pippki.js
@@ -35,8 +35,7 @@ function viewCertHelper(parent, cert) {
 }
 
 function getDERString(cert) {
-  var length = {};
-  var derArray = cert.getRawDER(length);
+  var derArray = cert.getRawDER();
   var derString = "";
   for (var i = 0; i < derArray.length; i++) {
     derString += String.fromCharCode(derArray[i]);
diff --git a/security/manager/ssl/nsIX509Cert.idl b/security/manager/ssl/nsIX509Cert.idl
index 7591402e2c50..b1167deae99a 100644
--- a/security/manager/ssl/nsIX509Cert.idl
+++ b/security/manager/ssl/nsIX509Cert.idl
@@ -195,12 +195,10 @@ interface nsIX509Cert : nsISupports {
    *  Obtain a raw binary encoding of this certificate
    *  in DER format.
    *
-   *  @param length The number of bytes in the binary encoding.
-   *  @param data The bytes representing the DER encoded certificate.
+   *  @return The bytes representing the DER encoded certificate.
    */
   [must_use]
-  void getRawDER(out unsigned long length,
-	               [retval, array, size_is(length)] out octet data);
+  Array<octet> getRawDER();
 
   /**
    *  Test whether two certificate instances represent the
diff --git a/security/manager/ssl/nsNSSCertificate.cpp b/security/manager/ssl/nsNSSCertificate.cpp
index 39b31351f191..f80e3a282dbe 100644
--- a/security/manager/ssl/nsNSSCertificate.cpp
+++ b/security/manager/ssl/nsNSSCertificate.cpp
@@ -703,14 +703,12 @@ nsNSSCertificate::GetSha256SubjectPublicKeyInfoDigest(
 }
 
 NS_IMETHODIMP
-nsNSSCertificate::GetRawDER(uint32_t* aLength, uint8_t** aArray) {
+nsNSSCertificate::GetRawDER(nsTArray<uint8_t>& aArray) {
   if (mCert) {
-    *aArray = (uint8_t*)moz_xmalloc(mCert->derCert.len);
-    memcpy(*aArray, mCert->derCert.data, mCert->derCert.len);
-    *aLength = mCert->derCert.len;
+    aArray.SetLength(mCert->derCert.len);
+    memcpy(aArray.Elements(), mCert->derCert.data, mCert->derCert.len);
     return NS_OK;
   }
-  *aLength = 0;
   return NS_ERROR_FAILURE;
 }
 
diff --git a/security/manager/ssl/tests/unit/test_add_preexisting_cert.js b/security/manager/ssl/tests/unit/test_add_preexisting_cert.js
index 8a3545ded240..65e5d9aaca0e 100644
--- a/security/manager/ssl/tests/unit/test_add_preexisting_cert.js
+++ b/security/manager/ssl/tests/unit/test_add_preexisting_cert.js
@@ -19,7 +19,7 @@ function load_cert(cert, trust) {
 
 function getDERString(cert) {
   let derString = "";
-  for (let rawByte of cert.getRawDER({})) {
+  for (let rawByte of cert.getRawDER()) {
     derString += String.fromCharCode(rawByte);
   }
   return derString;
diff --git a/toolkit/components/extensions/webrequest/SecurityInfo.jsm b/toolkit/components/extensions/webrequest/SecurityInfo.jsm
index 95bf38bc4cf6..a5ed7e3a6ab3 100644
--- a/toolkit/components/extensions/webrequest/SecurityInfo.jsm
+++ b/toolkit/components/extensions/webrequest/SecurityInfo.jsm
@@ -228,7 +228,7 @@ const SecurityInfo = {
       },
     };
     if (options.rawDER) {
-      certData.rawDER = cert.getRawDER({});
+      certData.rawDER = cert.getRawDER();
     }
     return certData;
   },
diff --git a/toolkit/components/reputationservice/ApplicationReputation.cpp b/toolkit/components/reputationservice/ApplicationReputation.cpp
index c130bdc0e87e..2c97e58d7c3b 100644
--- a/toolkit/components/reputationservice/ApplicationReputation.cpp
+++ b/toolkit/components/reputationservice/ApplicationReputation.cpp
@@ -1514,14 +1514,12 @@ nsresult PendingLookup::ParseCertificates(nsIArray* aSigArray) {
       nsCOMPtr<nsIX509Cert> cert = do_QueryInterface(certSupports, &rv);
       NS_ENSURE_SUCCESS(rv, rv);
 
-      uint8_t* data = nullptr;
-      uint32_t len = 0;
-      rv = cert->GetRawDER(&len, &data);
+      nsTArray<uint8_t> data;
+      rv = cert->GetRawDER(data);
       NS_ENSURE_SUCCESS(rv, rv);
 
       // Add this certificate to the protobuf to send remotely.
-      certChain->add_element()->set_certificate(data, len);
-      free(data);
+      certChain->add_element()->set_certificate(data.Elements(), data.Length());
 
       rv = chainElt->HasMoreElements(&hasMoreCerts);
       NS_ENSURE_SUCCESS(rv, rv);
diff --git a/toolkit/components/securityreporter/SecurityReporter.jsm b/toolkit/components/securityreporter/SecurityReporter.jsm
index 002276ac531c..a87c846cd995 100644
--- a/toolkit/components/securityreporter/SecurityReporter.jsm
+++ b/toolkit/components/securityreporter/SecurityReporter.jsm
@@ -19,8 +19,7 @@ ChromeUtils.defineModuleGetter(this, "UpdateUtils",
                                "resource://gre/modules/UpdateUtils.jsm");
 
 function getDERString(cert) {
-  var length = {};
-  var derArray = cert.getRawDER(length);
+  var derArray = cert.getRawDER();
   var derString = "";
   for (var i = 0; i < derArray.length; i++) {
     derString += String.fromCharCode(derArray[i]);