Index: tls.c
==================================================================
--- tls.c
+++ tls.c
@@ -1085,10 +1085,11 @@
     Tcl_Interp *interp = statePtr->interp;
     SSL_CTX *ctx = NULL;
     Tcl_DString ds;
     Tcl_DString ds1;
     int off = 0;
+    int load_private_key;
     const SSL_METHOD *method;
 
     dprintf("Called");
 
     if (!proto) {
@@ -1264,11 +1265,14 @@
 	DH_free(dh);
     }
 #endif
 
     /* set our certificate */
+    load_private_key = 0;
     if (certfile != NULL) {
+	load_private_key = 1;
+
 	Tcl_DStringInit(&ds);
 
 	if (SSL_CTX_use_certificate_file(ctx, F2N( certfile, &ds),
 					SSL_FILETYPE_PEM) <= 0) {
 	    Tcl_DStringFree(&ds);
@@ -1277,10 +1281,11 @@
 			     REASON(), (char *) NULL);
 	    SSL_CTX_free(ctx);
 	    return (SSL_CTX *)0;
 	}
     } else if (cert != NULL) {
+	load_private_key = 1;
 	if (SSL_CTX_use_certificate_ASN1(ctx, cert_len, cert) <= 0) {
 	    Tcl_DStringFree(&ds);
 	    Tcl_AppendResult(interp,
 			     "unable to set certificate: ",
 			     REASON(), (char *) NULL);
@@ -1302,50 +1307,52 @@
 #endif
 	}
     }
 
     /* set our private key */
-    if (keyfile == NULL && key == NULL) {
-	keyfile = certfile;
-    }
-
-    if (keyfile != NULL) {
-	/* get the private key associated with this certificate */
-	if (keyfile == NULL) {
-	    keyfile = certfile;
-	}
-
-	if (SSL_CTX_use_PrivateKey_file(ctx, F2N( keyfile, &ds),
-					SSL_FILETYPE_PEM) <= 0) {
-	    Tcl_DStringFree(&ds);
-	    /* flush the passphrase which might be left in the result */
-	    Tcl_SetResult(interp, NULL, TCL_STATIC);
-	    Tcl_AppendResult(interp,
-			     "unable to set public key file ", keyfile, " ",
-			     REASON(), (char *) NULL);
-	    SSL_CTX_free(ctx);
-	    return (SSL_CTX *)0;
-	}
-	Tcl_DStringFree(&ds);
+    if (load_private_key) {
+	if (keyfile == NULL && key == NULL) {
+	    keyfile = certfile;
+	}
+
+	if (keyfile != NULL) {
+	    /* get the private key associated with this certificate */
+	    if (keyfile == NULL) {
+		keyfile = certfile;
+	    }
+
+	    if (SSL_CTX_use_PrivateKey_file(ctx, F2N( keyfile, &ds), SSL_FILETYPE_PEM) <= 0) {
+		Tcl_DStringFree(&ds);
+		/* flush the passphrase which might be left in the result */
+		Tcl_SetResult(interp, NULL, TCL_STATIC);
+		Tcl_AppendResult(interp,
+			         "unable to set public key file ", keyfile, " ",
+			         REASON(), (char *) NULL);
+		SSL_CTX_free(ctx);
+		return (SSL_CTX *)0;
+	    }
+
+	    Tcl_DStringFree(&ds);
+	} else if (key != NULL) {
+	    if (SSL_CTX_use_PrivateKey_ASN1(EVP_PKEY_RSA, ctx, key,key_len) <= 0) {
+		Tcl_DStringFree(&ds);
+		/* flush the passphrase which might be left in the result */
+		Tcl_SetResult(interp, NULL, TCL_STATIC);
+		Tcl_AppendResult(interp,
+		                 "unable to set public key: ",
+		                 REASON(), (char *) NULL);
+		SSL_CTX_free(ctx);
+		return (SSL_CTX *)0;
+	    }
+	}
 	/* Now we know that a key and cert have been set against
 	 * the SSL context */
 	if (!SSL_CTX_check_private_key(ctx)) {
 	    Tcl_AppendResult(interp,
 			     "private key does not match the certificate public key",
 			     (char *) NULL);
 	    SSL_CTX_free(ctx);
-	    return (SSL_CTX *)0;
-	}
-    } else if (key != NULL) {
-	if (SSL_CTX_use_PrivateKey_ASN1(EVP_PKEY_RSA, ctx, key,key_len) <= 0) {
-	    Tcl_DStringFree(&ds);
-	    /* flush the passphrase which might be left in the result */
-	    Tcl_SetResult(interp, NULL, TCL_STATIC);
-	    Tcl_AppendResult(interp,
-			     "unable to set public key: ",
-			     REASON(), (char *) NULL);
-	    SSL_CTX_free(ctx);
 	    return (SSL_CTX *)0;
 	}
     }
 
     /* Set verification CAs */