diff --git a/internal/service/signer/service.go b/internal/service/signer/service.go
index 889dcfb14827cf31775ed84425bba33e6f95d32c..39178c2ef94152ce3fbfc88d13af1be9f7a81229 100644
--- a/internal/service/signer/service.go
+++ b/internal/service/signer/service.go
@@ -631,11 +631,15 @@ func (s *Service) jwkFromKey(key *VaultKey) (*jose.JSONWebKey, error) {
 
 	switch key.Type {
 	case "ed25519":
-		k.Key = ed25519.PublicKey(key.PublicKey)
-	case "ecdsa-p256", "ecdsa-p384", "ecdsa-p521", "rsa-2048":
+		pk, err := base64.StdEncoding.DecodeString(key.PublicKey)
+		if err != nil {
+			return nil, fmt.Errorf("jwkFromKey: failed to decode ed25519 key: %v", err)
+		}
+		k.Key = ed25519.PublicKey(pk)
+	case "ecdsa-p256", "ecdsa-p384", "ecdsa-p521", "rsa-2048", "rsa-3072", "rsa-4096":
 		block, _ := pem.Decode([]byte(key.PublicKey))
 		if block == nil {
-			return nil, fmt.Errorf("no public key found during PEM decode")
+			return nil, fmt.Errorf("jwkFromKey: no public key found during PEM decode")
 		}
 
 		pub, err := x509.ParsePKIXPublicKey(block.Bytes)
@@ -644,7 +648,7 @@ func (s *Service) jwkFromKey(key *VaultKey) (*jose.JSONWebKey, error) {
 		}
 		k.Key = pub
 	default:
-		return nil, fmt.Errorf("unsupported key type: %s", key.Type)
+		return nil, fmt.Errorf("jwkFromKey: unsupported key type: %s", key.Type)
 	}
 
 	return k, nil