diff --git a/include/mbedtls/x509.h b/include/mbedtls/x509.h
index ba2396a5b..7faf176b5 100644
--- a/include/mbedtls/x509.h
+++ b/include/mbedtls/x509.h
@@ -27,7 +27,6 @@
 
 #include "mbedtls/asn1.h"
 #include "mbedtls/pk.h"
-#include "pk_internal.h"
 
 #if defined(MBEDTLS_RSA_C)
 #include "mbedtls/rsa.h"
diff --git a/library/pk.c b/library/pk.c
index d92de6945..7e772829a 100644
--- a/library/pk.c
+++ b/library/pk.c
@@ -23,6 +23,7 @@
 #include "mbedtls/pk.h"
 #include "pk_wrap.h"
 #include "pkwrite.h"
+#include "pk_internal.h"
 
 #include "hash_info.h"
 
diff --git a/library/ssl_misc.h b/library/ssl_misc.h
index d7c47e661..17149c59e 100644
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@@ -55,6 +55,7 @@
 #endif
 
 #include "mbedtls/pk.h"
+#include "pk_internal.h"
 #include "common.h"
 
 /* Shorthand for restartable ECC */
diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c
index 38a3fc422..aa3e306a4 100644
--- a/library/ssl_tls12_server.c
+++ b/library/ssl_tls12_server.c
@@ -2636,7 +2636,7 @@ static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl)
         case MBEDTLS_PK_ECKEY:
         case MBEDTLS_PK_ECKEY_DH:
         case MBEDTLS_PK_ECDSA:
-            key = mbedtls_pk_ec_ro(*pk);
+            key = mbedtls_pk_ec_rw(*pk);
             if (key == NULL) {
                 return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
             }
diff --git a/library/x509_crt.c b/library/x509_crt.c
index 2f6d9248c..34a561359 100644
--- a/library/x509_crt.c
+++ b/library/x509_crt.c
@@ -50,6 +50,7 @@
 #endif /* MBEDTLS_USE_PSA_CRYPTO */
 #include "hash_info.h"
 #include "x509_invasive.h"
+#include "pk_internal.h"
 
 #include "mbedtls/platform.h"