Get correct GOST private key instead of just assuming the last one is

correct: this isn't always true if we have more than one certificate.