MySQL throws EE_PUBLIC_KEY_NOT_IN_PEM_FORMAT when the given RSA public key is not in valid PEM encoding.
MySQL Error 65: EE_PUBLIC_KEY_NOT_IN_PEM_FORMAT signals that the RSA public key supplied to the client or server is not PEM-encoded. Convert the key to standard PEM (base64 text between -----BEGIN PUBLIC KEY----- and -----END PUBLIC KEY-----) or regenerate the key pair in PEM format to resolve the issue.
Public key is not in Privacy Enhanced Mail format: '%s'. EE_PUBLIC_KEY_NOT_IN_PEM_FORMAT was added in 8.0.13.
MySQL 8.0.13 introduced RSA key-pair authentication for secure password exchange. When the server or client receives a public key that is not wrapped in standard Privacy Enhanced Mail boundaries, it raises EE_PUBLIC_KEY_NOT_IN_PEM_FORMAT.
The error halts connection establishment because MySQL cannot parse or validate a malformed key.
Fixing it quickly restores secure connectivity and avoids falling back to weaker authentication plugins.
Most connections break because the key file was saved in DER or SSH format rather than base64-encoded PEM.
Manual copy-paste often drops the BEGIN and END lines, corrupting the header.
Upgrading to MySQL 8.0+ without regenerating keys, using wrong file paths, or feeding the server a client certificate instead of its public key also triggers the condition.
Verify the key first. A valid PEM file starts with -----BEGIN PUBLIC KEY----- and ends with -----END PUBLIC KEY-----.
If those markers are missing, convert or regenerate the key using openssl.
After conversion, update caching_sha2_password_public_key_path on the server or pass --ssl-public-key on the client. Restart the MySQL service or reconnect to confirm the error is gone.
Database migrations often break because deployment scripts package keys in binary DER. Convert them with openssl rsa -in key.der -pubout -out key.pem.
Containers that mount secrets as files can truncate newline endings.
Re-encode the secret, commit a proper PEM file to your secret manager, and redeploy.
Always store keys in version-controlled secret managers as PEM. Automate key generation with CI tooling to prevent manual corruption.
Enable MySQL’s require_secure_transport and monitor the error log for code 65.
Galaxy users can add alerts on failed logins to flag malformed key attempts instantly.
Error 2026 - SSL connection error - appears when the public key is missing entirely. Provide the key path in the client options.
Error 1251 - Client does not support authentication protocol - occurs when the client lacks RSA key support. Upgrade the client library or switch authentication plugins.
.
Yes, switch users to the mysql_native_password plugin, but you lose stronger encryption. Fixing the key is safer.
Use openssl rsa -pubin -in key.pem -text -noout. If the command prints the modulus, the file is valid.
No. The code exists only from MySQL 8.0.13 onward where RSA key exchange was added.
Galaxy’s connection manager validates key paths on save, highlights missing PEM markers, and surfaces MySQL error 65 instantly in the editor.
.avif)
.avif){kind=logo}
