diff --git a/libfreerdp/crypto/cert_common.c b/libfreerdp/crypto/cert_common.c
index 8454652f3..c7f331dd2 100644
--- a/libfreerdp/crypto/cert_common.c
+++ b/libfreerdp/crypto/cert_common.c
@@ -181,7 +181,7 @@ X509* x509_from_rsa(const RSA* rsa)
 	if (!bio)
 		return NULL;
 
-	const int rc = PEM_write_bio_RSA_PUBKEY(bio, rsa);
+	const int rc = PEM_write_bio_RSA_PUBKEY(bio, (RSA*)rsa);
 	if (rc != 1)
 		goto fail;
 
diff --git a/libfreerdp/crypto/tls.c b/libfreerdp/crypto/tls.c
index 9658e8946..0050f6291 100644
--- a/libfreerdp/crypto/tls.c
+++ b/libfreerdp/crypto/tls.c
@@ -1050,7 +1050,7 @@ TlsHandshakeResult freerdp_tls_accept_ex(rdpTls* tls, BIO* underlying, rdpSettin
 	if (!tls_prepare(tls, underlying, methods, options, FALSE))
 		return TLS_HANDSHAKE_ERROR;
 
-	rdpPrivateKey* key = freerdp_settings_get_pointer(settings, FreeRDP_RdpServerRsaKey);
+	const rdpPrivateKey* key = freerdp_settings_get_pointer(settings, FreeRDP_RdpServerRsaKey);
 	if (!key)
 	{
 		WLog_ERR(TAG, "invalid private key");
@@ -1077,7 +1077,8 @@ TlsHandshakeResult freerdp_tls_accept_ex(rdpTls* tls, BIO* underlying, rdpSettin
 		return TLS_HANDSHAKE_ERROR;
 	}
 
-	rdpCertificate* cert = freerdp_settings_get_pointer(settings, FreeRDP_RdpServerCertificate);
+	rdpCertificate* cert =
+	    freerdp_settings_get_pointer_writable(settings, FreeRDP_RdpServerCertificate);
 	if (!cert)
 	{
 		WLog_ERR(TAG, "invalid certificate");
@@ -1377,7 +1378,7 @@ static BOOL tls_extract_pem(const rdpCertificate* cert, BYTE** PublicKey, size_t
 {
 	if (!cert || !PublicKey)
 		return FALSE;
-	*PublicKey = freerdp_certificate_get_pem(cert, PublicKeyLength);
+	*PublicKey = (BYTE*)freerdp_certificate_get_pem(cert, PublicKeyLength);
 	return *PublicKey != NULL;
 }
 
diff --git a/libfreerdp/crypto/x509_utils.c b/libfreerdp/crypto/x509_utils.c
index 62cf2939b..4f4111f4d 100644
--- a/libfreerdp/crypto/x509_utils.c
+++ b/libfreerdp/crypto/x509_utils.c
@@ -559,7 +559,7 @@ void x509_utils_print_info(const X509* xcert)
 	char* subject;
 	subject = x509_utils_get_subject(xcert);
 	issuer = x509_utils_get_issuer(xcert);
-	fp = x509_utils_get_hash(xcert, "sha256", NULL);
+	fp = (char*)x509_utils_get_hash(xcert, "sha256", NULL);
 
 	if (!fp)
 	{
@@ -605,7 +605,7 @@ BYTE* x509_utils_get_pem(const X509* xcert, const STACK_OF(X509) * chain, size_t
 		return NULL;
 	}
 
-	status = PEM_write_bio_X509(bio, xcert);
+	status = PEM_write_bio_X509(bio, (X509*)xcert);
 
 	if (status < 0)
 	{
@@ -774,7 +774,7 @@ char* x509_utils_get_common_name(const X509* xcert, size_t* plength)
 	if (subject_name == NULL)
 		return NULL;
 
-	const int index = X509_NAME_get_index_by_NID(subject_name, NID_commonName, -1);
+	const int index = X509_NAME_get_index_by_NID((X509_NAME*)subject_name, NID_commonName, -1);
 	if (index < 0)
 		return NULL;
 
diff --git a/server/proxy/pf_config.c b/server/proxy/pf_config.c
index 9a1350279..d772854e4 100644
--- a/server/proxy/pf_config.c
+++ b/server/proxy/pf_config.c
@@ -399,7 +399,7 @@ static char* pf_config_decode_base64(const char* data, const char* name, size_t*
 	WINPR_ASSERT(pLength);
 
 	const size_t length = strlen(data);
-	crypto_base64_decode(data, length, &decoded, &decoded_length);
+	crypto_base64_decode(data, length, (BYTE**)&decoded, &decoded_length);
 	if (!decoded || decoded_length == 0)
 		WLog_ERR(TAG, "Failed to decode base64 data from %s of length %" PRIuz, name, length);
 	WINPR_ASSERT(strnlen(decoded, decoded_length) == decoded_length - 1);