From 73cc4a62cc6dcd1b8adcdb8fc4558cb4db0495b8 Mon Sep 17 00:00:00 2001
From: Richard T Bonhomme <tincantech@protonmail.com>
Date: Fri, 18 Mar 2022 20:39:40 +0000
Subject: [PATCH] Set 'build_ca()' specific $crypto_opts '-pass' for OpenSSL
 version 3

Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
---
 easyrsa3/easyrsa | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
index e4e703c..1ef4dc5 100755
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@@ -680,6 +680,16 @@ current CA keypair. If you intended to start a new CA, run init-pki first."
 
 	# BEGIN SSL V3
 	3)
+		# If encrypted then create the CA key using AES256 cipher ($crypto)
+		# 'genpkey' requires '-pass'
+		crypto_opts=""
+		if [ ! $nopass ]; then
+			crypto_opts="$crypto"
+			if [ -z "$EASYRSA_PASSOUT" ]; then
+				crypto_opts="$crypto_opts -pass file:$out_key_pass_tmp"
+			fi
+		fi
+
 		# Generate CA Key - OpenSSL v3 'genpkey' is not compatible
 		# with easyrsa $opts and $no_password, do NOT use them here
 		# shellcheck disable=SC2086 # Ignore unquoted variables
@@ -717,6 +727,7 @@ current CA keypair. If you intended to start a new CA, run init-pki first."
 		esac
 
 		# Private key encryption password or use no_password
+		# 'req' requires '-passin'
 		crypto_opts=""
 		if [ ! $nopass ] && [ -z "$EASYRSA_PASSIN" ]; then
 			crypto_opts="-passin file:$out_key_pass_tmp"