From 4e02c8acc268098188dbb28f851ae735223f8fe1 Mon Sep 17 00:00:00 2001
From: Richard T Bonhomme <tincantech@protonmail.com>
Date: Sun, 14 Apr 2024 22:32:12 +0100
Subject: [PATCH] build-ca: Command 'req', remove SSL option '-keyout'

OpenSSL command 'req', option '-keyout' behaves differently between OpenSSL
v3.x verses v1.x

When the private key is encrypted:
- v1.x ignores '-keyout' and does not create a new key.
- v3.x creates a new key with different parameters to the original key.

v3.x creates the original key, encrypted by AES-256-CBC; then creates
the unnecessary, secondary key, encrypted by DES-EDE3-CBC.

Because EasyRSA has already generated the private key, the 'req' command
must not generate a secondary key.

Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
---
 easyrsa3/easyrsa | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
index 361d36651..5ec86a175 100755
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@@ -1794,7 +1794,7 @@ build_ca: CA key password created via temp-files"
 
 	# Generate the CA keypair:
 	easyrsa_openssl req -utf8 -new \
-		-key "$out_key_tmp" -keyout "$out_key_tmp" \
+		-key "$out_key_tmp" \
 		-out "$out_file_tmp" \
 		${ssl_batch:+ -batch} \
 		${x509:+ -x509} \