diff --git a/client/common/cmdline.c b/client/common/cmdline.c
index 6f54f6e05..2d06b54a7 100644
--- a/client/common/cmdline.c
+++ b/client/common/cmdline.c
@@ -777,41 +777,13 @@ fail:
 
 static BOOL read_pem_file(rdpSettings* settings, size_t id, const char* file)
 {
-	INT64 s;
-	int rs;
-	size_t fr;
-	char* ptr;
-	BOOL rc = FALSE;
-	FILE* fp = winpr_fopen(file, "r");
-	if (!fp)
-		goto fail;
-	rs = _fseeki64(fp, 0, SEEK_END);
-	if (rs < 0)
-		goto fail;
-	s = _ftelli64(fp);
-	if (s < 0)
-		goto fail;
-	rs = _fseeki64(fp, 0, SEEK_SET);
-	if (rs < 0)
-		goto fail;
+	size_t length = 0;
+	char* pem = crypto_read_pem(file, &length);
+	if (!pem || (length == 0))
+		return FALSE;
 
-	if (!freerdp_settings_set_string_len(settings, id, NULL, (size_t)s + 1ull))
-		goto fail;
-
-	ptr = freerdp_settings_get_string_writable(settings, id);
-	fr = fread(ptr, (size_t)s, 1, fp);
-	if (fr != 1)
-		goto fail;
-	rc = TRUE;
-fail:
-	if (!rc)
-	{
-		char buffer[8192] = { 0 };
-		WLog_WARN(TAG, "Failed to read file '%s' [%s]", file,
-		          winpr_strerror(errno, buffer, sizeof(buffer)));
-	}
-	if (fp)
-		fclose(fp);
+	BOOL rc = freerdp_settings_set_string_len(settings, id, pem, length);
+	free(pem);
 	return rc;
 }
 
diff --git a/libfreerdp/core/smartcardlogon.c b/libfreerdp/core/smartcardlogon.c
index edafba6fc..32aa8410e 100644
--- a/libfreerdp/core/smartcardlogon.c
+++ b/libfreerdp/core/smartcardlogon.c
@@ -29,6 +29,7 @@
 #include <winpr/print.h>
 
 #include <freerdp/utils/smartcardlogon.h>
+#include <freerdp/crypto/crypto.h>
 
 #include <openssl/obj_mac.h>
 
@@ -525,20 +526,6 @@ out:
 	return ret;
 }
 
-static BOOL write_pem(const char* file, const char* pem)
-{
-	WINPR_ASSERT(file);
-	WINPR_ASSERT(pem);
-
-	size_t rc, size = strlen(pem) + 1;
-	FILE* fp = winpr_fopen(file, "w");
-	if (!fp)
-		return FALSE;
-	rc = fwrite(pem, 1, size, fp);
-	fclose(fp);
-	return rc == size;
-}
-
 static char* create_temporary_file(void)
 {
 	BYTE buffer[32];
@@ -593,12 +580,12 @@ static SmartcardCertInfo* smartcardCertInfo_New(const char* privKeyPEM, const ch
 	 */
 	info->keyPath = create_temporary_file();
 	WLog_DBG(TAG, "writing PKINIT key to %s", info->keyPath);
-	if (!write_pem(info->keyPath, privKeyPEM))
+	if (!crypto_write_pem(info->keyPath, privKeyPEM, strlen(privKeyPEM)))
 		goto fail;
 
 	info->certPath = create_temporary_file();
 	WLog_DBG(TAG, "writing PKINIT cert to %s", info->certPath);
-	if (!write_pem(info->certPath, certPEM))
+	if (!crypto_write_pem(info->certPath, certPEM, strlen(certPEM)))
 		goto fail;
 
 	int res = allocating_sprintf(&cert->pkinitArgs, "FILE:%s,%s", info->certPath, info->keyPath);