diff --git a/httplib.h b/httplib.h
index 00195dc..e2ca133 100644
--- a/httplib.h
+++ b/httplib.h
@@ -365,6 +365,12 @@ using socket_t = int;
 #endif // CPPHTTPLIB_OPENSSL_SUPPORT
 
 #ifdef CPPHTTPLIB_MBEDTLS_SUPPORT
+#include <mbedtls/version.h>
+#if MBEDTLS_VERSION_MAJOR >= 3
+#include <mbedtls/build_info.h>
+#else
+#include <mbedtls/config.h>
+#endif
 #include <mbedtls/ctr_drbg.h>
 #include <mbedtls/entropy.h>
 #include <mbedtls/error.h>
@@ -377,6 +383,12 @@ using socket_t = int;
 #include <mbedtls/sha512.h>
 #include <mbedtls/ssl.h>
 #include <mbedtls/x509_crt.h>
+
+// Define macro for encrypted private key support
+// PKCS#8 encrypted keys require MBEDTLS_PKCS5_C
+#if defined(MBEDTLS_PKCS5_C)
+#define CPPHTTPLIB_MBEDTLS_ENCRYPTED_KEY_SUPPORT
+#endif
 #ifdef _WIN32
 #include <wincrypt.h>
 #ifdef _MSC_VER
diff --git a/test/test.cc b/test/test.cc
index 1d84d56..6f15822 100644
--- a/test/test.cc
+++ b/test/test.cc
@@ -2530,6 +2530,11 @@ TEST(BindServerTest, BindAndListenSeparatelySSL) {
 
 #ifdef CPPHTTPLIB_SSL_ENABLED
 TEST(BindServerTest, BindAndListenSeparatelySSLEncryptedKey) {
+  // Skip if Mbed TLS without PKCS5 support (required for encrypted keys)
+#if defined(CPPHTTPLIB_MBEDTLS_SUPPORT) &&                                     \
+    !defined(CPPHTTPLIB_MBEDTLS_ENCRYPTED_KEY_SUPPORT)
+  GTEST_SKIP() << "Mbed TLS PKCS5 support not available";
+#endif
   SSLServer svr(SERVER_ENCRYPTED_CERT_FILE, SERVER_ENCRYPTED_PRIVATE_KEY_FILE,
                 nullptr, nullptr, SERVER_ENCRYPTED_PRIVATE_KEY_PASS);
   int port = svr.bind_to_any_port("0.0.0.0");
@@ -8827,6 +8832,11 @@ TEST(SSLClientServerTest, ClientCertPresent) {
 }
 
 TEST(SSLClientServerTest, ClientEncryptedCertPresent) {
+  // Skip if Mbed TLS without PKCS5 support (required for encrypted keys)
+#if defined(CPPHTTPLIB_MBEDTLS_SUPPORT) &&                                     \
+    !defined(CPPHTTPLIB_MBEDTLS_ENCRYPTED_KEY_SUPPORT)
+  GTEST_SKIP() << "Mbed TLS PKCS5 support not available";
+#endif
   ClientCertPresent(CLIENT_ENCRYPTED_CERT_FILE,
                     CLIENT_ENCRYPTED_PRIVATE_KEY_FILE,
                     CLIENT_ENCRYPTED_PRIVATE_KEY_PASS);
@@ -8897,6 +8907,11 @@ TEST(SSLClientServerTest, PemMemoryClientCertPresent) {
 }
 
 TEST(SSLClientServerTest, PemMemoryClientEncryptedCertPresent) {
+  // Skip if Mbed TLS without PKCS5 support (required for encrypted keys)
+#if defined(CPPHTTPLIB_MBEDTLS_SUPPORT) &&                                     \
+    !defined(CPPHTTPLIB_MBEDTLS_ENCRYPTED_KEY_SUPPORT)
+  GTEST_SKIP() << "Mbed TLS PKCS5 support not available";
+#endif
   PemMemoryClientCertPresent(CLIENT_ENCRYPTED_CERT_FILE,
                              CLIENT_ENCRYPTED_PRIVATE_KEY_FILE,
                              CLIENT_ENCRYPTED_PRIVATE_KEY_PASS);