diff --git a/src/openvpn/crypto_backend.h b/src/openvpn/crypto_backend.h
index 1eac611..d49344e 100644
--- a/src/openvpn/crypto_backend.h
+++ b/src/openvpn/crypto_backend.h
@@ -52,7 +52,7 @@ void crypto_clear_error (void);
 /*
  * Initialise the given named crypto engine.
  */
-void crypto_init_lib_engine (const char *engine_name);
+void* crypto_init_lib_engine (const char *engine_name);
 
 #ifdef DMALLOC
 /*
diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
index 5342502..7e9617c 100644
--- a/src/openvpn/crypto_openssl.c
+++ b/src/openvpn/crypto_openssl.c
@@ -169,7 +169,7 @@ setup_engine (const char *engine)
 
 #endif /* HAVE_OPENSSL_ENGINE */
 
-void
+void *
 crypto_init_lib_engine (const char *engine_name)
 {
 #if HAVE_OPENSSL_ENGINE
@@ -183,6 +183,7 @@ crypto_init_lib_engine (const char *engine_name)
 #else
   msg (M_WARN, "Note: OpenSSL hardware crypto engine functionality is not available");
 #endif
+  return (void*)engine_persist;
 }
 
 /*
diff --git a/src/openvpn/crypto_polarssl.c b/src/openvpn/crypto_polarssl.c
index 3978a3c..e537620 100644
--- a/src/openvpn/crypto_polarssl.c
+++ b/src/openvpn/crypto_polarssl.c
@@ -58,11 +58,12 @@
  *
  */
 
-void
+void *
 crypto_init_lib_engine (const char *engine_name)
 {
   msg (M_WARN, "Note: PolarSSL hardware crypto engine functionality is not "
       "available");
+  return NULL;
 }
 
 /*
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index 19512c0..beba78c 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -367,7 +367,7 @@ init_ssl (const struct options *options, struct tls_root_ctx *new_ctx)
       /* Load Private Key */
       if (options->priv_key_file)
 	{
-          if (0 != tls_ctx_load_priv_file(new_ctx, options->priv_key_file, options->priv_key_file_inline))
+            if (0 != tls_ctx_load_priv_file(new_ctx, options->engine, options->priv_key_file, options->priv_key_file_inline))
             goto err;
 	}
     }
diff --git a/src/openvpn/ssl_backend.h b/src/openvpn/ssl_backend.h
index f3e69dd..47b5026 100644
--- a/src/openvpn/ssl_backend.h
+++ b/src/openvpn/ssl_backend.h
@@ -214,7 +214,9 @@ void tls_ctx_free_cert_file (openvpn_x509_cert_t *x509);
  * @return 			1 if an error occurred, 0 if parsing was
  * 				successful.
  */
-int tls_ctx_load_priv_file (struct tls_root_ctx *ctx, const char *priv_key_file
+int tls_ctx_load_priv_file (struct tls_root_ctx *ctx,
+                            const char *priv_key_engine,
+                            const char *priv_key_file
 #if ENABLE_INLINE_FILES
     , const char *priv_key_file_inline
 #endif
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index 8f35325..d754f03 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -437,7 +437,8 @@ tls_ctx_free_cert_file (X509 *x509)
 }
 
 int
-tls_ctx_load_priv_file (struct tls_root_ctx *ctx, const char *priv_key_file
+tls_ctx_load_priv_file (struct tls_root_ctx *ctx, const char *priv_key_engine,
+                        const char *priv_key_file
 #if ENABLE_INLINE_FILES
     , const char *priv_key_file_inline
 #endif
@@ -463,9 +464,27 @@ tls_ctx_load_priv_file (struct tls_root_ctx *ctx, const char *priv_key_file
   if (!in)
     goto end;
 
-  pkey = PEM_read_bio_PrivateKey (in, NULL,
-                                  ssl_ctx->default_passwd_callback,
-                                  ssl_ctx->default_passwd_callback_userdata);
+  if (priv_key_engine) {
+#ifdef HAVE_OPENSSL_ENGINE
+    ENGINE *engine;
+
+    engine = crypto_init_lib_engine(priv_key_engine);
+    if (!engine) {
+      msg (M_WARN|M_SSL, "Cannot init engine %s", priv_key_engine);
+      goto end;
+    }
+    pkey = ENGINE_load_private_key(engine, priv_key_file, UI_OpenSSL(), NULL);
+#else
+    msg (M_WARN, "Note: Hardware crypto engine functionality is not "
+         "available");
+    goto end;
+#endif /* HAVE_OPENSSL_ENGINE */
+  } else {
+    pkey = PEM_read_bio_PrivateKey (in, NULL,
+                                    ssl_ctx->default_passwd_callback,
+                                    ssl_ctx->default_passwd_callback_userdata);
+  }
+
   if (!pkey)
     goto end;
 
diff --git a/src/openvpn/ssl_openssl.h b/src/openvpn/ssl_openssl.h
index fc2052c..bfc5715 100644
--- a/src/openvpn/ssl_openssl.h
+++ b/src/openvpn/ssl_openssl.h
@@ -32,6 +32,10 @@
 
 #include <openssl/ssl.h>
 
+#if HAVE_OPENSSL_ENGINE
+#include <openssl/engine.h>
+#endif
+
 /**
  * Structure that wraps the TLS context. Contents differ depending on the
  * SSL library used.
diff --git a/src/openvpn/ssl_polarssl.c b/src/openvpn/ssl_polarssl.c
index fc8fa6e..45960d0 100644
--- a/src/openvpn/ssl_polarssl.c
+++ b/src/openvpn/ssl_polarssl.c
@@ -276,7 +276,8 @@ tls_ctx_free_cert_file (openvpn_x509_cert_t *x509)
 }
 
 int
-tls_ctx_load_priv_file (struct tls_root_ctx *ctx, const char *priv_key_file
+tls_ctx_load_priv_file (struct tls_root_ctx *ctx, const char *priv_key_engine,
+                        const char *priv_key_file
 #if ENABLE_INLINE_FILES
     , const char *priv_key_file_inline
 #endif /* ENABLE_INLINE_FILES */