diff --git a/CHANGELOG.md b/CHANGELOG.md
index 443cce6c..0d260b5e 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -118,6 +118,7 @@ In this release, the schema version has changed from 10 to 12.
 
 ### Fixed
 
+- ED25519 private key validation ([#3737]).
 - Incorrect assignment of explicitly configured DHCP options ([#3744]).
 - Occasional panic during shutdown ([#3655]).
 - Addition of IPs into only one as opposed to all matching ipsets on Linux
diff --git a/internal/home/tls.go b/internal/home/tls.go
index cd13407f..fc842929 100644
--- a/internal/home/tls.go
+++ b/internal/home/tls.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"crypto"
 	"crypto/ecdsa"
+	"crypto/ed25519"
 	"crypto/rsa"
 	"crypto/tls"
 	"crypto/x509"
@@ -464,6 +465,7 @@ func validatePkey(data *tlsConfigStatus, pkey string) error {
 	_, keytype, err := parsePrivateKey(key.Bytes)
 	if err != nil {
 		data.WarningValidation = fmt.Sprintf("Failed to parse private key: %s", err)
+
 		return errors.Error(data.WarningValidation)
 	}
 
@@ -509,23 +511,31 @@ func validateCertificates(certChain, pkey, serverName string) tlsConfigStatus {
 // Attempt to parse the given private key DER block. OpenSSL 0.9.8 generates
 // PKCS#1 private keys by default, while OpenSSL 1.0.0 generates PKCS#8 keys.
 // OpenSSL ecparam generates SEC1 EC private keys for ECDSA. We try all three.
-func parsePrivateKey(der []byte) (crypto.PrivateKey, string, error) {
-	if key, err := x509.ParsePKCS1PrivateKey(der); err == nil {
+//
+// TODO(a.garipov): Find out if this version of parsePrivateKey from the stdlib
+// is actually necessary.
+func parsePrivateKey(der []byte) (key crypto.PrivateKey, typ string, err error) {
+	if key, err = x509.ParsePKCS1PrivateKey(der); err == nil {
 		return key, "RSA", nil
 	}
 
-	if key, err := x509.ParsePKCS8PrivateKey(der); err == nil {
+	if key, err = x509.ParsePKCS8PrivateKey(der); err == nil {
 		switch key := key.(type) {
 		case *rsa.PrivateKey:
 			return key, "RSA", nil
 		case *ecdsa.PrivateKey:
 			return key, "ECDSA", nil
+		case ed25519.PrivateKey:
+			return key, "ED25519", nil
 		default:
-			return nil, "", errors.Error("tls: found unknown private key type in PKCS#8 wrapping")
+			return nil, "", fmt.Errorf(
+				"tls: found unknown private key type %T in PKCS#8 wrapping",
+				key,
+			)
 		}
 	}
 
-	if key, err := x509.ParseECPrivateKey(der); err == nil {
+	if key, err = x509.ParseECPrivateKey(der); err == nil {
 		return key, "ECDSA", nil
 	}