I found that .crt files written with writeX509 are rejected by SSL_load_client_CA_file and SSL_CTX_use_certificate_file because they have incorrect start lines ("TRUSTED CERTIFICATE" vs just "CERTIFICATE"). I checked the code and it seems that for some reason read/writeX509 use PEM_read/write_bio_X509_AUX instead of PEM_read/write_bio_X509.
Fix X509 PEM reading/writing.
Merged. I think I am the one who chose _AUX but I can't remeber why I did so. Thank you for your patch.