Using an external RSA private key
The RSA private key is not available in exported form. It is located inside a smartcard or in a secure hardware module. Therefore, you are not able to load it the usual way.
Providing your own functions
Mbed TLS is designed for this, and allows you to set your own functions to be used for RSA decryption and signing during the SSL handshake.
Set these functions by using
mbedtls_pk_setup_rsa_alt(). This allows your application to provide an arbitrary blob as your RSA private key, accept function pointers performing decryption and signature, and return the key size, as above.
You can then use the normal
mbedtls_set_own_cert() function. From the perspective of the SSL module, the external RSA private key is just another PK context.
If you are using a smartcard, you don’t have to write your own logic. You can use the
Mbed TLS includes a helper class for using the
libpkcs11-helper when you enable
config.h. See How do I configure Mbed TLS.