diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
index 7cddaa6..e448907 100755
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@@ -1742,7 +1742,6 @@ Run easyrsa without commands for usage and command help."
 		shift
 	done
 
-	pkcs_opts=
 	pkcs_certfile_path=
 	if [ "$want_ca" ]; then
 		verify_file x509 "$crt_ca" || die "\
@@ -1766,16 +1765,17 @@ Unable to export p12 for short name '$short_name' without the key
 (if you want a p12 without the private key, use nokey option.)
 Missing key expected at: $key_in"
 		else
-			pkcs_opts="-nokeys"
+			nokeys=1
 		fi
 
 		# export the p12:
 		# shellcheck disable=SC2086 # Ignore unquoted variables
 		easyrsa_openssl pkcs12 -in "$crt_in" -inkey "$key_in" -export \
-			-out "$pkcs_out" $pkcs_opts \
-			${pkcs_certfile_path:+-certfile "$pkcs_certfile_path"} \
-			${EASYRSA_PASSIN:+-passin "$EASYRSA_PASSIN"} \
-			${EASYRSA_PASSOUT:+-passout "$EASYRSA_PASSOUT"} || die "\
+			-out "$pkcs_out" \
+			${nokeys:+ -nokeys} \
+			${pkcs_certfile_path:+ -certfile "$pkcs_certfile_path"} \
+			${EASYRSA_PASSIN:+ -passin "$EASYRSA_PASSIN"} \
+			${EASYRSA_PASSOUT:+ -passout "$EASYRSA_PASSOUT"} || die "\
 Export of p12 failed: see above for related openssl errors."
 	;;
 	p7)
@@ -1784,22 +1784,24 @@ Export of p12 failed: see above for related openssl errors."
 		# export the p7:
 		easyrsa_openssl crl2pkcs7 -nocrl -certfile "$crt_in" \
 			-out "$pkcs_out" \
-			${pkcs_certfile_path:+-certfile "$pkcs_certfile_path"} \
+			${pkcs_certfile_path:+ -certfile "$pkcs_certfile_path"} \
 				|| die "\
 Export of p7 failed: see above for related openssl errors."
 	;;
 	p8)
-		if [ -z "$want_pass" ]; then
-			pkcs_opts="-nocrypt"
-		fi
 		pkcs_out="$EASYRSA_PKI/private/$short_name.p8"
 
+		if [ -z "$want_pass" ]; then
+			EASYRSA_PASSIN=pass:
+			EASYRSA_PASSOUT=pass:
+		fi
+
 		# export the p8:
 		# shellcheck disable=SC2086 # Ignore unquoted variables
 		easyrsa_openssl pkcs8 -in "$key_in" -topk8 \
 			-out "$pkcs_out" $pkcs_opts \
-			${EASYRSA_PASSIN:+-passin "$EASYRSA_PASSIN"} \
-			${EASYRSA_PASSOUT:+-passout "$EASYRSA_PASSOUT"} || die "\
+			${EASYRSA_PASSIN:+ -passin "$EASYRSA_PASSIN"} \
+			${EASYRSA_PASSOUT:+ -passout "$EASYRSA_PASSOUT"} || die "\
 Export of p8 failed: see above for related openssl errors."
       ;;
 esac