der.lisp is only loading a PKCS1/DER-encoded private RSA key, which is a far cry from certificate parsing. (And certificate.lisp just loads a blob.) Granted, for a server which doesn't support mTLS you don't need to parse certificates, or any other complex DER-encoded structures.