diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
index 5342502..40999fe 100644
--- a/src/openvpn/crypto_openssl.c
+++ b/src/openvpn/crypto_openssl.c
@@ -115,7 +115,7 @@ cipher_ok (const char* name)
 
 static bool engine_initialized = false; /* GLOBAL */
 
-static ENGINE *engine_persist = NULL;   /* GLOBAL */
+ENGINE *engine_persist = NULL;   /* GLOBAL */
 
 /* Try to load an engine in a shareable library */
 static ENGINE *
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index 8f35325..320fd20 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -463,9 +463,19 @@ tls_ctx_load_priv_file (struct tls_root_ctx *ctx, const char *priv_key_file
   if (!in)
     goto end;
 
-  pkey = PEM_read_bio_PrivateKey (in, NULL,
-                                  ssl_ctx->default_passwd_callback,
-                                  ssl_ctx->default_passwd_callback_userdata);
+#ifdef HAVE_OPENSSL_ENGINE
+  if (engine_persist) {
+    pkey = ENGINE_load_private_key(engine_persist, priv_key_file,
+                                   UI_OpenSSL(), NULL);
+  } else {
+#else
+  {
+#endif /* HAVE_OPENSSL_ENGINE */
+    pkey = PEM_read_bio_PrivateKey (in, NULL,
+                                    ssl_ctx->default_passwd_callback,
+                                    ssl_ctx->default_passwd_callback_userdata);
+  }
+
   if (!pkey)
     goto end;
 
diff --git a/src/openvpn/ssl_openssl.h b/src/openvpn/ssl_openssl.h
index fc2052c..59a1e47 100644
--- a/src/openvpn/ssl_openssl.h
+++ b/src/openvpn/ssl_openssl.h
@@ -32,6 +32,10 @@
 
 #include <openssl/ssl.h>
 
+#if HAVE_OPENSSL_ENGINE
+#include <openssl/engine.h>
+#endif
+
 /**
  * Structure that wraps the TLS context. Contents differ depending on the
  * SSL library used.
@@ -52,6 +56,9 @@ struct key_state_ssl {
  * pointer back to parent.
  */
 extern int mydata_index; /* GLOBAL */
+#ifdef HAVE_OPENSSL_ENGINE
+extern ENGINE *engine_persist; /* GLOBAL */
+#endif
 
 void openssl_set_mydata_index (void);