Go's crypto library is stricter than other libraries in how it decodes PEM files. In particular, some libraries in the wild are known to generate PEM files with "non minimally-encoded integers". The Go driver will error consuming such files with the message "tls: failed to parse private key". (Several such keys exist in the mongo-tools and MongoDB server repository, which is how I discovered this issue.)

Because these client PEM files work fine with more lax TLS libraries like OpenSSL, users might be confused/surprised/frustrated that they work elsewhere but fail to work with the Go driver. We should document this as a known issue.

Reference: issue#17279