diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
index bc0c386..fe75fdc 100755
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@@ -416,9 +416,10 @@ Your newly created PKI dir is: $EASYRSA_PKI
 build_ca() {
 	opts="" 
 	sub_ca=""
+	crypto="-aes256"
 	while [ -n "$1" ]; do
 		case "$1" in
-			nopass) opts="$opts -nodes" ;;
+			nopass) opts="$opts -nodes "; crypt=  ;;
 			subca) sub_ca=1 ;;
 			*) warn "Ignoring unknown command option: '$1'" ;;
 		esac
@@ -433,7 +434,7 @@ build_ca() {
 	out_key="$EASYRSA_PKI/private/ca.key"
 	if [ ! $sub_ca ]; then
 		out_file="$EASYRSA_PKI/ca.crt"
-		opts="$opts -x509 -days $EASYRSA_CA_EXPIRE"
+		opts="$opts -x509 -days $EASYRSA_CA_EXPIRE "
 	fi
 
 	# Test for existing CA, and complain if already present
@@ -464,14 +465,30 @@ current CA keypair. If you intended to start a new CA, run init-pki first."
 	[ "$EASYRSA_BATCH" ] && opts="$opts -batch" || export EASYRSA_REQ_CN="Easy-RSA CA"
 
 	out_key_tmp="$(mktemp "$out_key.XXXXXXXXXX")"; EASYRSA_TEMP_FILE_2="$out_key_tmp"
+	out_key_pass_tmp="$(mktemp "$out_key_pass.XXXXXXXXXX")"; EASYRSA_TEMP_FILE_3="$out_key_pass_tmp"
 	out_file_tmp="$(mktemp "$out_file.XXXXXXXXXX")"; EASYRSA_TEMP_FILE_3="$out_file_tmp"
+	printf "Enter New CA Key Passphrase: "
+	read -s kpass
+	echo
+	printf "Re-Enter New CA Key Passphrase: "
+	read -s kpass2
+	echo
+	if [ "$kpass" = "$kpass2" ];
+	then
+		printf "$kpass" > "$out_key_pass_tmp"
+	else
+		die "Passphrases do not match."
+	fi
+	# create the CA key using AES256
+	"$EASYRSA_OPENSSL" genrsa -aes256 -out "$out_key_tmp" -passout file:"$out_key_pass_tmp" 
 	# create the CA keypair:
 	#shellcheck disable=SC2086
-	"$EASYRSA_OPENSSL" req -utf8 -new -newkey "$EASYRSA_ALGO":"$EASYRSA_ALGO_PARAMS" \
-		-config "$EASYRSA_SSL_CONF" -keyout "$out_key_tmp" -out "$out_file_tmp" $opts || \
+	"$EASYRSA_OPENSSL" req -utf8 -new -key "$out_key_tmp" \
+		-config "$EASYRSA_SSL_CONF" -keyout "$out_key_tmp" -out "$out_file_tmp" -passin file:"$out_key_pass_tmp" $opts || \
 		die "Failed to build the CA"
 	mv "$out_key_tmp" "$out_key"; EASYRSA_TEMP_FILE_2=
 	mv "$out_file_tmp" "$out_file"; EASYRSA_TEMP_FILE_3=
+	rm "$out_key_pass_tmp"
 
 	# Success messages
 	if [ $sub_ca ]; then