Go TLS x509: no DEK-Info header in block even if using pkcs8

Question

Already burning hours figuring out why I cannot get the certificate using

cert, err := tls.X509KeyPair(blockCrt.Bytes, blockPEM)

A bit of research history I did

• Able to read Understanding PKCS1, PKCS8 and PEM
• Similar issue "No DEK-Info header in block" when attempting to read encrypted private key

I have the similar error if I use "x509.DecryptPEMBlock"

x509: no DEK-Info header in block

So, I changed it and have used the following code with combination of x509.DecrpyPEMBlock and https://github.com/youmark/pkcs8

package main

import (
    "crypto/tls"
    "crypto/x509"
    "encoding/pem"
    "errors"
    "fmt"
)

func main() {

    New()

}

func New() error {
    certPem := []byte(`
-----BEGIN CERTIFICATE-----

... -----END CERTIFICATE----- `)

    keyPem := []byte(`
-----BEGIN ENCRYPTED PRIVATE KEY-----

... -----END ENCRYPTED PRIVATE KEY----- `)

    // DECODE CRT PEM block
    blockCrt, _ := pem.Decode([]byte(certPem))

    // DECODE KEY PEM block
    blockKey, _ := pem.Decode([]byte(keyPem))

    // CHECK ENCRYPTION ON CRT/KEY PEM block
    isKeyEncryptedPem := x509.IsEncryptedPEMBlock(blockKey)
    isCrtyEncryptedPem := x509.IsEncryptedPEMBlock(blockCrt)

    if blockKey == nil || blockCrt == nil {
        fmt.Println("Error: Failed to decode PEM block")
        return errors.New("Error: Failed to decode PEM block")
    }

    // DECRYPT KEY PEM BLOCK WITH PASSPHRASE

    // Using private key
    // decryptPKCS8, err := pkcs8.ParsePKCS8PrivateKey(blockKey.Bytes, []byte(PassPhrase))
    // blockPKCS8, err := x509.MarshalPKCS8PrivateKey(decryptPKCS8)

    // keyPEM := pem.EncodeToMemory(blockPKCS8)

    // Using rsa
    // decryptPKCS8, err := pkcs8.ParsePKCS8PrivateKeyRSA(blockKey.Bytes, []byte(PassPhrase))
    // blockPEM := x509.MarshalPKCS1PrivateKey(decryptPKCS8)

    // blockPEM, err := x509.DecryptPEMBlock(keyPEM, []byte(PassPhrase))
    blockPEM, err := x509.DecryptPEMBlock(blockKey, []byte("password"))

    // decrypedPemBlock, err := x509.DecryptPEMBlock(decryptPKCS8, []byte(PassPhrase))
    // derFmt, err := pkcs8.MarshalPrivateKey(decryptPKCS8, []byte(PassPhrase))

    // fmt.Println("=== decryptPKCS8:", decryptPKCS8)
    fmt.Println("=== isKeyEncryptedPem: ", isKeyEncryptedPem)
    fmt.Println("=== isCrtyEncryptedPem: ", isCrtyEncryptedPem)
    fmt.Println("=== blockCrt: ", blockCrt)
    fmt.Println("=== blockKey: ", blockKey)
    fmt.Println("=== blockPEM: ", blockPEM)

    if err != nil {
        fmt.Println("Error: Decrypt Key Error - ", err)
        return err
    }

    // cert, err := tls.X509KeyPair(certPem, decrypedPemBlock)
    // cert, err := tls.X509KeyPair(certPem, decrypedPemBlock)
    cert, err := tls.X509KeyPair(blockCrt.Bytes, blockPEM)
    // cert, err := tls.X509KeyPair(blockCrt.Bytes, keyPEM)
    // cert, err := tls.X509KeyPair(blockCrt.Bytes, blockKey.Bytes)

    fmt.Println("=== cert: ", cert)

    if err != nil {
        fmt.Println("Error: ", err)
        return err
    }

    return nil
}

However, I still keep hitting a wall and would like to ask if someone know if I missed something?