diff --git a/internal/cryptutil/types.go b/internal/cryptutil/types.go
index 31b72cbbac730514a5ba5e5476c756835ebdc429..52e8f08feb4cecbd121b0f38c33fa9c414a28b27 100644
--- a/internal/cryptutil/types.go
+++ b/internal/cryptutil/types.go
@@ -74,6 +74,20 @@ func (r *Regexp) UnmarshalYAML(value *yaml.Node) error {
 	return err
 }
 
+func unmarshalPEMBlock(value *yaml.Node) (*pem.Block, error) {
+	var s string
+	if err := value.Decode(&s); err != nil {
+		return nil, err
+	}
+
+	block, _ := pem.Decode([]byte(s))
+	if block == nil {
+		return nil, errors.New("no PEM block found")
+	}
+
+	return block, nil
+}
+
 // A rsa.PrivateKey wrapper that can be deserialized from YAML as a
 // PEM-encoded string value.
 type RSAPrivateKey struct {
@@ -81,16 +95,11 @@ type RSAPrivateKey struct {
 }
 
 func (k *RSAPrivateKey) UnmarshalYAML(value *yaml.Node) error {
-	var s string
-	if err := value.Decode(&s); err != nil {
+	block, err := unmarshalPEMBlock(value)
+	if err != nil {
 		return err
 	}
 
-	block, _ := pem.Decode([]byte(s))
-	if block == nil {
-		return errors.New("no PEM block found")
-	}
-
 	switch block.Type {
 	case "PRIVATE KEY":
 		key, err := x509.ParsePKCS8PrivateKey(block.Bytes)
@@ -126,16 +135,11 @@ type RSAKey struct {
 }
 
 func (k *RSAKey) UnmarshalYAML(value *yaml.Node) error {
-	var s string
-	if err := value.Decode(&s); err != nil {
+	block, err := unmarshalPEMBlock(value)
+	if err != nil {
 		return err
 	}
 
-	block, _ := pem.Decode([]byte(s))
-	if block == nil {
-		return errors.New("no PEM block found")
-	}
-
 	switch block.Type {
 	case "PUBLIC KEY":
 		key, err := x509.ParsePKIXPublicKey(block.Bytes)
@@ -150,7 +154,7 @@ func (k *RSAKey) UnmarshalYAML(value *yaml.Node) error {
 			return errors.New("unsupported public key type")
 		}
 
-	case "RSA PRIVATE KEY":
+	case "RSA PUBLIC KEY":
 		key, err := x509.ParsePKCS1PublicKey(block.Bytes)
 		if err != nil {
 			return fmt.Errorf("error parsing PKCS1 private key: %w", err)