diff --git a/src/allmydata/crypto/rsa.py b/src/allmydata/crypto/rsa.py
index 95cf01413..96885cfa1 100644
--- a/src/allmydata/crypto/rsa.py
+++ b/src/allmydata/crypto/rsa.py
@@ -72,20 +72,39 @@ def create_signing_keypair_from_string(private_key_der):
 
     :returns: 2-tuple of (private_key, public_key)
     """
-    priv_key = load_der_private_key(
+    load = partial(
+        load_der_private_key,
         private_key_der,
         password=None,
         backend=default_backend(),
     )
-    if not isinstance(priv_key, rsa.RSAPrivateKey):
+
+    try:
+        # Load it once without the potentially expensive OpenSSL validation
+        # checks.  These have superlinear complexity.  We *will* run them just
+        # below - but first we'll apply our own constant-time checks.
+        unsafe_priv_key = load(unsafe_skip_rsa_key_validation=True)
+    except TypeError:
+        # cryptography<39 does not support this parameter, so just load the
+        # key with validation...
+        unsafe_priv_key = load()
+        # But avoid *reloading* it since that will run the expensive
+        # validation *again*.
+        load = lambda: unsafe_priv_key
+
+    if not isinstance(unsafe_priv_key, rsa.RSAPrivateKey):
         raise ValueError(
             "Private Key did not decode to an RSA key"
         )
-    if priv_key.key_size != 2048:
+    if unsafe_priv_key.key_size != 2048:
         raise ValueError(
             "Private Key must be 2048 bits"
         )
-    return priv_key, priv_key.public_key()
+
+    # Now re-load it with OpenSSL's validation applied.
+    safe_priv_key = load()
+
+    return safe_priv_key, safe_priv_key.public_key()
 
 
 def der_string_from_signing_key(private_key):