Rats, you beat me to it. It seems to work if I just give the same, combined file as the argument to both the key_file and cert_file parameters. (that's not to say that it doesn't work if I do something else). In my case, the passphrase is packaged up in the xml payload and sent over. Thank you everyone.