From 73d8416def6dc978f8b85d1ea5ba8214fc17b3c7 Mon Sep 17 00:00:00 2001
From: Richard T Bonhomme <tincantech@protonmail.com>
Date: Wed, 17 Apr 2024 21:58:37 +0100
Subject: [PATCH] build-ca: Command 'req', remove SSL option '-keyout'

OpenSSL command 'req', option '-keyout' behaves differently between OpenSSL
v3.x verses v1.x

When the private key is encrypted:
- v1.x ignores '-keyout' and does not create a new key.
- v3.x creates a new key with different parameters to the original key.

v3.x creates the original key, encrypted by AES-256-CBC; then creates
the unnecessary, secondary key, encrypted by DES-EDE3-CBC.

Because EasyRSA has already generated the private key, the 'req' command
must not generate a secondary key.

Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
---
 easyrsa3/easyrsa | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
index c26d21c4f..f16019875 100755
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@@ -1923,7 +1923,7 @@ build_ca: CA certificate password created via RAW"
 
 	else
 		easyrsa_openssl req -utf8 -new \
-			-key "$out_key_tmp" -keyout "$out_key_tmp" \
+			-key "$out_key_tmp" \
 			-out "$out_file_tmp" \
 			${ssl_batch:+ -batch} \
 			${x509:+ -x509} \