diff --git a/server/proxy/pf_config.c b/server/proxy/pf_config.c
index 7ccecd0ba..602a13c47 100644
--- a/server/proxy/pf_config.c
+++ b/server/proxy/pf_config.c
@@ -390,8 +390,9 @@ static BOOL pf_config_load_gfx_settings(wIniFile* ini, proxyConfig* config)
 
 static char* pf_config_decode_base64(const char* data, const char* name, size_t* pLength)
 {
-	const char cert_header[27] = "-----BEGIN CERTIFICATE-----";
-	const char key_header[27] = "-----BEGIN PRIVATE KEY-----";
+	const char* headers[] = { "-----BEGIN PUBLIC KEY-----", "-----BEGIN RSA PUBLIC KEY-----",
+		                      "-----BEGIN CERTIFICATE-----", "-----BEGIN PRIVATE KEY-----",
+		                      "-----BEGIN RSA PRIVATE KEY-----" };
 
 	size_t decoded_length = 0;
 	char* decoded = NULL;
@@ -405,9 +406,42 @@ static char* pf_config_decode_base64(const char* data, const char* name, size_t*
 	WINPR_ASSERT(pLength);
 
 	const size_t length = strlen(data);
-	if ((strncmp(data, cert_header, ARRAYSIZE(cert_header)) == 0) ||
-	    (strncmp(data, key_header, ARRAYSIZE(key_header)) == 0))
+
+	if (strncmp(data, "-----", 5) == 0)
 	{
+		BOOL expected = FALSE;
+		for (size_t x = 0; x < ARRAYSIZE(headers); x++)
+		{
+			const char* header = headers[x];
+
+			if (strncmp(data, header, strlen(header)) == 0)
+				expected = TRUE;
+		}
+
+		if (!expected)
+		{
+			/* Extract header for log message
+			 * expected format is '----- SOMETEXT -----'
+			 */
+			char hdr[128] = { 0 };
+			const char* end = strchr(&data[5], '-');
+			if (end)
+			{
+				while (*end == '-')
+					end++;
+
+				const size_t s = MIN(ARRAYSIZE(hdr) - 1, end - data);
+				memcpy(hdr, data, s);
+			}
+
+			WLog_WARN(TAG, "PEM has unexpected header '%s'. Known supported headers are:", hdr);
+			for (size_t x = 0; x < ARRAYSIZE(headers); x++)
+			{
+				const char* header = headers[x];
+				WLog_WARN(TAG, "%s", header);
+			}
+		}
+
 		*pLength = length + 1;
 		return _strdup(data);
 	}