diff --git a/RSA.xs b/RSA.xs
index 7e1ddc6..fde7314 100644
--- a/RSA.xs
+++ b/RSA.xs
@@ -472,6 +472,10 @@ get_private_key_string(p_rsa, passphase_SV=&PL_sv_undef, cipher_name_SV=&PL_sv_u
     char* cipher_name;
     const EVP_CIPHER* enc = NULL;
   CODE:
+    if (!_is_private(p_rsa))
+    {
+        croak("Public keys cannot export private key strings");
+    }
     if (SvPOK(cipher_name_SV) && !SvPOK(passphase_SV)) {
         croak("Passphrase is required for cipher");
     }
diff --git a/t/format.t b/t/format.t
index 0f4f516..667c93e 100644
--- a/t/format.t
+++ b/t/format.t
@@ -122,9 +122,9 @@ like($@, qr/Unsupported cipher/, "get_private_key_string croaks on unsupported c
 # --- Error: export private key from public-only key ---
 
 my $pub_only = Crypt::OpenSSL::RSA->new_public_key($PUBLIC_KEY_PKCS1_STRING);
-# Behavior varies: OpenSSL 3.x may croak, 1.x/LibreSSL returns a PEM
 eval { $pub_only->get_private_key_string() };
-pass("get_private_key_string on public-only key does not crash");
+like($@, qr/Public keys cannot export private key strings/,
+    "get_private_key_string croaks on public-only key");
 
 # --- Error: wrong passphrase on re-import ---