From 16f2d11f3722a34a3f75ac9e3838f42ff7e5ce32 Mon Sep 17 00:00:00 2001
From: Richard T Bonhomme <tincantech@protonmail.com>
Date: Fri, 18 Mar 2022 17:23:55 +0000
Subject: [PATCH] Use $crypto_opts to correctly set SSL '-noenc' ($no_password)

Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
---
 easyrsa3/easyrsa | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
index 5450a25..e4e703c 100755
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@@ -716,17 +716,18 @@ current CA keypair. If you intended to start a new CA, run init-pki first."
 			die "Unknown algorithm: $EASYRSA_ALGO"
 		esac
 
-		# OpenSSL v3: '-nodes' is deprecate, use '-noenc'
-		unset -v no_password; [ ! $nopass ] || no_password='-noenc'
+		# Private key encryption password or use no_password
+		crypto_opts=""
+		if [ ! $nopass ] && [ -z "$EASYRSA_PASSIN" ]; then
+			crypto_opts="-passin file:$out_key_pass_tmp"
+		else
+			crypto_opts="$no_password"
+		fi
 
 		# create the CA keypair:
-		crypto_opts=""
-		[ ! $nopass ] && [ -z "$EASYRSA_PASSIN" ] && \
-			crypto_opts="-passin file:$out_key_pass_tmp"
-
 		# shellcheck disable=SC2086
-		easyrsa_openssl req -utf8 "${no_password}" -new -key "$out_key_tmp" \
-			-keyout "$out_key_tmp" -out "$out_file_tmp" ${opts} ${crypto_opts} \
+		easyrsa_openssl req -utf8 -new -key "$out_key_tmp" \
+			-out "$out_file_tmp" ${opts} ${crypto_opts} \
 			${EASYRSA_PASSIN:+-passin "$EASYRSA_PASSIN"} || \
 				die "Failed to build the CA"
 	;;