diff --git a/ext/node/ops/crypto/mod.rs b/ext/node/ops/crypto/mod.rs
index 53a3ea3f0f..666ce84097 100644
--- a/ext/node/ops/crypto/mod.rs
+++ b/ext/node/ops/crypto/mod.rs
@@ -1493,8 +1493,13 @@ fn parse_private_key(
 ) -> Result<pkcs8::SecretDocument, AnyError> {
   match format {
     "pem" => {
-      let (_, doc) =
-        pkcs8::SecretDocument::from_pem(std::str::from_utf8(key).unwrap())?;
+      let pem = std::str::from_utf8(key).map_err(|err| {
+        type_error(format!(
+          "Invalid PEM private key: not valid utf8 starting at byte {}",
+          err.valid_up_to()
+        ))
+      })?;
+      let (_, doc) = pkcs8::SecretDocument::from_pem(pem)?;
       Ok(doc)
     }
     "der" => {
@@ -1600,8 +1605,13 @@ fn parse_public_key(
 ) -> Result<pkcs8::Document, AnyError> {
   match format {
     "pem" => {
-      let (label, doc) =
-        pkcs8::Document::from_pem(std::str::from_utf8(key).unwrap())?;
+      let pem = std::str::from_utf8(key).map_err(|err| {
+        type_error(format!(
+          "Invalid PEM private key: not valid utf8 starting at byte {}",
+          err.valid_up_to()
+        ))
+      })?;
+      let (label, doc) = pkcs8::Document::from_pem(pem)?;
       if label != "PUBLIC KEY" {
         return Err(type_error("Invalid PEM label"));
       }
diff --git a/tests/unit_node/crypto/crypto_key_test.ts b/tests/unit_node/crypto/crypto_key_test.ts
index 0136015728..d3a43b3b81 100644
--- a/tests/unit_node/crypto/crypto_key_test.ts
+++ b/tests/unit_node/crypto/crypto_key_test.ts
@@ -415,3 +415,27 @@ Deno.test("generate rsa export public key", async function () {
   const der = publicKey.export({ format: "der", type: "spki" });
   assert(der instanceof Uint8Array);
 });
+
+Deno.test("create public key with invalid utf-8 string", function () {
+  // This is an invalid UTF-8 string because it contains a lone utf-16 surrogate.
+  const invalidPem = Buffer.from(new Uint8Array([0xE2, 0x28, 0xA1]));
+  assertThrows(
+    () => {
+      createPublicKey(invalidPem);
+    },
+    Error,
+    "not valid utf8",
+  );
+});
+
+Deno.test("create private key with invalid utf-8 string", function () {
+  // This is an invalid UTF-8 string because it contains a lone utf-16 surrogate.
+  const invalidPem = Buffer.from(new Uint8Array([0xE2, 0x28, 0xA1]));
+  assertThrows(
+    () => {
+      createPrivateKey(invalidPem);
+    },
+    Error,
+    "not valid utf8",
+  );
+});