gnutls serv / gnutls_certificate_set_x509_key_file do not check certificate against policy
gnutls serv loads keyfile & cert, but doesn't bother to check if it should trust it or if it is acceptable as per policy.
For example, one can start gnutls serv with 512 RSA keys in the cert chain, even if no sane client will trust to connect to it.
Some checks are performed e.g. gnutls_check_key_cert_match, but it should also check if the cert meets the minimum profile security standard w.r.t. algos / key sizes / hashes / etc. Such that, for example, daemons fail to start with bogus certs instead of waiting for clients to fail to establish a connection.