Your RSA private key is not available in an exported form, it is located inside a smartcard or a secure hardware module. As a consequence you are not able to load it the usual way.
Providing your own functions
mbed TLS has been designed to handle these situations and allows you to set your own functions that it should use for RSA decryption and signing during the SSL handshake.
With PolarSSL 1.2
You can set these functions using the function
ssl_set_own_cert_alt(). This functions allows you to provide an arbitrary blob as your RSA private key and accepts function pointers to alternatives of
rsa_pkcs1_sign() and a function that returns the length of the RSA key in bytes.
With PolarSSL and mbed TLS 1.3 and later
You can set these functions using
mbedtls_pk_setup_rsa_alt() (known as
pk_init_ctx_rsa_alt() in the 1.3 branch). This function allows your to
provide an arbitrary blob as your RSA private key and accepts function
pointers performing decryption and signature and returning the key size as
You can then use the normal
mbedtls_set_own_cert() function, as from the
perspective of the SSL module, your external RSA private key is just another
In case you are using a smartcard you don't have to write your own logic and you can use the libpkcs11-helper library.
mbed TLS includes a helper class for using libpkcs11-helper, when you enable MBEDTLS_PKCS11_C in config.h, see "How do I configure mbed TLS". This requires the presence of libpkcs11-helper of course.