diff --git a/webrtc/api/dtlsidentitystore.cc b/webrtc/api/dtlsidentitystore.cc
index bdccc10c1b..3652e21877 100644
--- a/webrtc/api/dtlsidentitystore.cc
+++ b/webrtc/api/dtlsidentitystore.cc
@@ -31,6 +31,50 @@ enum {
   MSG_GENERATE_IDENTITY_RESULT
 };
 
+// A |DtlsIdentityRequestObserver| that informs an
+// |RTCCertificateGeneratorCallback| of the result of an identity request. On
+// success, a certificate is created using the identity before passing it to
+// the callback.
+class RTCCertificateStoreCallbackObserver
+    : public webrtc::DtlsIdentityRequestObserver {
+ public:
+  RTCCertificateStoreCallbackObserver(
+      const rtc::scoped_refptr<rtc::RTCCertificateGeneratorCallback>& callback)
+      : callback_(callback) {}
+
+ private:
+  void OnFailure(int error) override {
+    LOG(LS_WARNING) << "DtlsIdentityRequestObserver failure code: " << error;
+    Callback(nullptr);
+  }
+  void OnSuccess(const std::string& der_cert,
+                 const std::string& der_private_key) override {
+    std::string pem_cert = rtc::SSLIdentity::DerToPem(
+        rtc::kPemTypeCertificate,
+        reinterpret_cast<const unsigned char*>(der_cert.data()),
+        der_cert.length());
+    std::string pem_key = rtc::SSLIdentity::DerToPem(
+        rtc::kPemTypeRsaPrivateKey,
+        reinterpret_cast<const unsigned char*>(der_private_key.data()),
+        der_private_key.length());
+    std::unique_ptr<rtc::SSLIdentity> identity(
+        rtc::SSLIdentity::FromPEMStrings(pem_key, pem_cert));
+    OnSuccess(std::move(identity));
+  }
+  void OnSuccess(std::unique_ptr<rtc::SSLIdentity> identity) override {
+    Callback(rtc::RTCCertificate::Create(std::move(identity)));
+  }
+
+  void Callback(rtc::scoped_refptr<rtc::RTCCertificate> certificate) {
+    if (certificate)
+      callback_->OnSuccess(certificate);
+    else
+      callback_->OnFailure();
+  }
+
+  rtc::scoped_refptr<rtc::RTCCertificateGeneratorCallback> callback_;
+};
+
 }  // namespace
 
 // This class runs on the worker thread to generate the identity. It's necessary
@@ -148,7 +192,7 @@ bool DtlsIdentityStoreImpl::HasFreeIdentityForTesting(
 
 void DtlsIdentityStoreImpl::GenerateIdentity(
     rtc::KeyType key_type,
-    const rtc::scoped_refptr<webrtc::DtlsIdentityRequestObserver>& observer) {
+    const rtc::scoped_refptr<DtlsIdentityRequestObserver>& observer) {
   RTC_DCHECK(signaling_thread_->IsCurrent());
 
   // Enqueue observer to be informed when generation of |key_type| is completed.
@@ -228,4 +272,20 @@ void DtlsIdentityStoreImpl::OnIdentityGenerated(
   }
 }
 
+RTCCertificateGeneratorStoreWrapper::RTCCertificateGeneratorStoreWrapper(
+    std::unique_ptr<DtlsIdentityStoreInterface> store)
+    : store_(std::move(store)) {
+  RTC_DCHECK(store_);
+}
+
+void RTCCertificateGeneratorStoreWrapper::GenerateCertificateAsync(
+    const rtc::KeyParams& key_params,
+    const rtc::Optional<uint64_t>& expires_ms,
+    const rtc::scoped_refptr<rtc::RTCCertificateGeneratorCallback>& callback) {
+  store_->RequestIdentity(
+      key_params,
+      expires_ms,
+      new rtc::RefCountedObject<RTCCertificateStoreCallbackObserver>(callback));
+}
+
 }  // namespace webrtc
diff --git a/webrtc/api/dtlsidentitystore.h b/webrtc/api/dtlsidentitystore.h
index e25b79591a..3384341e6b 100644
--- a/webrtc/api/dtlsidentitystore.h
+++ b/webrtc/api/dtlsidentitystore.h
@@ -20,6 +20,7 @@
 #include "webrtc/base/messagequeue.h"
 #include "webrtc/base/optional.h"
 #include "webrtc/base/refcount.h"
+#include "webrtc/base/rtccertificategenerator.h"
 #include "webrtc/base/scoped_ref_ptr.h"
 #include "webrtc/base/sslidentity.h"
 #include "webrtc/base/thread.h"
@@ -131,6 +132,27 @@ class DtlsIdentityStoreImpl : public DtlsIdentityStoreInterface,
   RequestInfo request_info_[rtc::KT_LAST];
 };
 
+// Implements the |RTCCertificateGeneratorInterface| using the old |SSLIdentity|
+// generator API, |DtlsIdentityStoreInterface|. This will be used while
+// transitioning from store to generator, see bugs.webrtc.org/5707,
+// bugs.webrtc.org/5708. Once those bugs have been fixed, this will be removed.
+class RTCCertificateGeneratorStoreWrapper
+    : public rtc::RTCCertificateGeneratorInterface {
+ public:
+  RTCCertificateGeneratorStoreWrapper(
+      std::unique_ptr<DtlsIdentityStoreInterface> store);
+
+  // |RTCCertificateGeneratorInterface| overrides.
+  void GenerateCertificateAsync(
+      const rtc::KeyParams& key_params,
+      const rtc::Optional<uint64_t>& expires_ms,
+      const rtc::scoped_refptr<rtc::RTCCertificateGeneratorCallback>& callback)
+        override;
+
+ private:
+  const std::unique_ptr<DtlsIdentityStoreInterface> store_;
+};
+
 }  // namespace webrtc
 
 #endif  // WEBRTC_API_DTLSIDENTITYSTORE_H_
diff --git a/webrtc/base/rtccertificategenerator.h b/webrtc/base/rtccertificategenerator.h
index 08fe67108d..c131d695fd 100644
--- a/webrtc/base/rtccertificategenerator.h
+++ b/webrtc/base/rtccertificategenerator.h
@@ -20,6 +20,7 @@
 
 namespace rtc {
 
+// See |RTCCertificateGeneratorInterface::GenerateCertificateAsync|.
 class RTCCertificateGeneratorCallback : public RefCountInterface {
  public:
   virtual void OnSuccess(
@@ -31,10 +32,27 @@ class RTCCertificateGeneratorCallback : public RefCountInterface {
 };
 
 // Generates |RTCCertificate|s.
+// See |RTCCertificateGenerator| for the WebRTC repo's implementation.
+class RTCCertificateGeneratorInterface {
+ public:
+  virtual ~RTCCertificateGeneratorInterface() {}
+
+  // Generates a certificate asynchronously on the worker thread.
+  // Must be called on the signaling thread. The |callback| is invoked with the
+  // result on the signaling thread. |exipres_ms| optionally specifies for how
+  // long we want the certificate to be valid, but the implementation may choose
+  // its own restrictions on the expiration time.
+  virtual void GenerateCertificateAsync(
+      const KeyParams& key_params,
+      const Optional<uint64_t>& expires_ms,
+      const scoped_refptr<RTCCertificateGeneratorCallback>& callback) = 0;
+};
+
+// Standard implementation of |RTCCertificateGeneratorInterface|.
 // The static function |GenerateCertificate| generates a certificate on the
 // current thread. The |RTCCertificateGenerator| instance generates certificates
 // asynchronously on the worker thread with |GenerateCertificateAsync|.
-class RTCCertificateGenerator {
+class RTCCertificateGenerator : public RTCCertificateGeneratorInterface {
  public:
   // Generates a certificate on the current thread. Returns null on failure.
   // If |expires_ms| is specified, the certificate will expire in approximately
@@ -46,18 +64,17 @@ class RTCCertificateGenerator {
       const Optional<uint64_t>& expires_ms);
 
   RTCCertificateGenerator(Thread* signaling_thread, Thread* worker_thread);
+  ~RTCCertificateGenerator() override {}
 
-  // Generates a certificate asynchronously on the worker thread.
-  // Must be called on the signaling thread. The |callback| is invoked with the
-  // result on the signaling thread. If |expires_ms| is specified, the
-  // certificate will expire in approximately that many milliseconds from now.
-  // |expires_ms| is limited to a year, a larger value than that is clamped down
-  // to a year. If |expires_ms| is not  specified, a default expiration time is
-  // used.
+  // |RTCCertificateGeneratorInterface| overrides.
+  // If |expires_ms| is specified, the certificate will expire in approximately
+  // that many milliseconds from now. |expires_ms| is limited to a year, a
+  // larger value than that is clamped down to a year. If |expires_ms| is not
+  // specified, a default expiration time is used.
   void GenerateCertificateAsync(
       const KeyParams& key_params,
       const Optional<uint64_t>& expires_ms,
-      const scoped_refptr<RTCCertificateGeneratorCallback>& callback);
+      const scoped_refptr<RTCCertificateGeneratorCallback>& callback) override;
 
  private:
   Thread* const signaling_thread_;