diff --git a/examples/python/gi/nm-wg-set b/examples/python/gi/nm-wg-set
index 308e4c74ca..9ee61c7dc4 100755
--- a/examples/python/gi/nm-wg-set
+++ b/examples/python/gi/nm-wg-set
@@ -343,7 +343,7 @@ def do_set(nm_client, conn, argv):
                 else:
                     peer_idx = None
                     peer = NM.WireGuardPeer()
-                    peer.set_public_key(public_key)
+                    peer.set_public_key(public_key, True)
                     wg_peer_is_valid(peer, 'public key "%s" is invalid' % (public_key))
                 peer_remove = False
                 idx += 2
diff --git a/libnm-core/nm-keyfile.c b/libnm-core/nm-keyfile.c
index b82b6bf020..4f5ec46260 100644
--- a/libnm-core/nm-keyfile.c
+++ b/libnm-core/nm-keyfile.c
@@ -2929,7 +2929,7 @@ _read_setting_wireguard_peer (KeyfileReaderInfo *info)
 		             info->group);
 		return;
 	}
-	nm_wireguard_peer_set_public_key (peer, cstr);
+	nm_wireguard_peer_set_public_key (peer, cstr, TRUE);
 	nm_clear_g_free (&str);
 
 	key = NM_WIREGUARD_PEER_ATTR_PRESHARED_KEY;
diff --git a/libnm-core/nm-setting-wireguard.c b/libnm-core/nm-setting-wireguard.c
index c1881240a0..154cc8a798 100644
--- a/libnm-core/nm-setting-wireguard.c
+++ b/libnm-core/nm-setting-wireguard.c
@@ -280,34 +280,48 @@ nm_wireguard_peer_get_public_key (const NMWireGuardPeer *self)
  * @self: the unsealed #NMWireGuardPeer instance
  * @public_key: (allow-none) (transfer none): the new public
  *   key or %NULL to clear the public key.
+ * @accept_invalid: if %TRUE and @public_key is not %NULL and
+ *   invalid, then do not modify the instance.
  *
  * Reset the public key. Note that if the public key is valid, it
  * will be normalized (which may or may not modify the set value).
  *
  * It is a bug trying to modify a sealed #NMWireGuardPeer instance.
  *
+ * Returns: %TRUE if the key was valid or %NULL. Returns
+ *   %FALSE for invalid keys. Depending on @accept_invalid
+ *   will an invalid key be set or not.
+ *
  * Since: 1.16
  */
-void
+gboolean
 nm_wireguard_peer_set_public_key (NMWireGuardPeer *self,
-                                  const char *public_key)
+                                  const char *public_key,
+                                  gboolean accept_invalid)
 {
 	char *public_key_normalized = NULL;
+	gboolean is_valid;
 
-	g_return_if_fail (NM_IS_WIREGUARD_PEER (self, FALSE));
+	g_return_val_if_fail (NM_IS_WIREGUARD_PEER (self, FALSE), FALSE);
 
 	if (!public_key) {
 		nm_clear_g_free (&self->public_key);
-		return;
+		return TRUE;
 	}
 
-	self->public_key_valid = _nm_utils_wireguard_normalize_key (public_key,
-	                                                            NM_WIREGUARD_PUBLIC_KEY_LEN,
-	                                                            &public_key_normalized);
-	nm_assert (self->public_key_valid == (public_key_normalized != NULL));
+	is_valid = _nm_utils_wireguard_normalize_key (public_key,
+	                                              NM_WIREGUARD_PUBLIC_KEY_LEN,
+	                                              &public_key_normalized);
+	nm_assert (is_valid == (public_key_normalized != NULL));
 
+	if (   !is_valid
+	    && !accept_invalid)
+		return FALSE;
+
+	self->public_key_valid = is_valid;
 	g_free (self->public_key);
 	self->public_key = public_key_normalized ?: g_strdup (public_key);
+	return is_valid;
 }
 
 void
@@ -1532,8 +1546,7 @@ _peers_dbus_only_set (NMSetting     *setting,
 		}
 
 		peer = nm_wireguard_peer_new ();
-		nm_wireguard_peer_set_public_key (peer, cstr);
-		if (!peer->public_key_valid) {
+		if (!nm_wireguard_peer_set_public_key (peer, cstr, TRUE)) {
 			if (NM_FLAGS_HAS (parse_flags, NM_SETTING_PARSE_FLAGS_STRICT)) {
 				g_set_error (error, NM_CONNECTION_ERROR, NM_CONNECTION_ERROR_MISSING_PROPERTY,
 				             _("peer #%u has invalid public-key"),
diff --git a/libnm-core/nm-setting-wireguard.h b/libnm-core/nm-setting-wireguard.h
index 6f6fc0f0b4..5cf5c1f3c4 100644
--- a/libnm-core/nm-setting-wireguard.h
+++ b/libnm-core/nm-setting-wireguard.h
@@ -61,8 +61,9 @@ gboolean nm_wireguard_peer_is_sealed (const NMWireGuardPeer *self);
 NM_AVAILABLE_IN_1_16
 const char *nm_wireguard_peer_get_public_key (const NMWireGuardPeer *self);
 NM_AVAILABLE_IN_1_16
-void nm_wireguard_peer_set_public_key (NMWireGuardPeer *self,
-                                       const char *public_key);
+gboolean nm_wireguard_peer_set_public_key (NMWireGuardPeer *self,
+                                           const char *public_key,
+                                           gboolean accept_invalid);
 
 NM_AVAILABLE_IN_1_16
 const char *nm_wireguard_peer_get_preshared_key (const NMWireGuardPeer *self);
diff --git a/libnm-core/tests/test-setting.c b/libnm-core/tests/test-setting.c
index 6d089f1ab8..bbcff8778f 100644
--- a/libnm-core/tests/test-setting.c
+++ b/libnm-core/tests/test-setting.c
@@ -2065,7 +2065,8 @@ _rndt_wg_peers_create (void)
 		s_endpoint = _create_random_ipaddr (AF_UNSPEC, TRUE);
 
 		peer = nm_wireguard_peer_new ();
-		nm_wireguard_peer_set_public_key (peer, public_key);
+		if (!nm_wireguard_peer_set_public_key (peer, public_key, TRUE))
+			g_assert_not_reached ();
 
 		if (!nm_wireguard_peer_set_preshared_key (peer, nmtst_rand_select (NULL, preshared_key), TRUE))
 			g_assert_not_reached ();