diff --git a/backend/Dockerfile b/backend/Dockerfile
index a28ef01..4909e4e 100644
--- a/backend/Dockerfile
+++ b/backend/Dockerfile
@@ -18,5 +18,25 @@ RUN apk add --no-cache python3 make g++ openssh-client
 COPY package.json package-lock.json* ./
 RUN npm install --omit=dev
 COPY --from=build /app/dist ./dist
+# Old-format encrypted PEM keys (e.g. "BEGIN RSA PRIVATE KEY" + DEK-Info) rely on an
+# MD5-based KDF that OpenSSL 3's default provider disables. Enable the legacy provider
+# so `ssh` (used for certificate-based auth) can still decrypt these keys.
+RUN { \
+      echo 'openssl_conf = openssl_init'; \
+      echo ''; \
+      echo '[openssl_init]'; \
+      echo 'providers = provider_sect'; \
+      echo ''; \
+      echo '[provider_sect]'; \
+      echo 'default = default_sect'; \
+      echo 'legacy = legacy_sect'; \
+      echo ''; \
+      echo '[default_sect]'; \
+      echo 'activate = 1'; \
+      echo ''; \
+      echo '[legacy_sect]'; \
+      echo 'activate = 1'; \
+    } > /etc/ssl/openssl-legacy.cnf
+ENV OPENSSL_CONF=/etc/ssl/openssl-legacy.cnf
 EXPOSE 4000
 CMD ["node", "dist/server.js"]