diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
index 4963bfc..cede5b1 100755
--- a/easyrsa3/easyrsa
+++ b/easyrsa3/easyrsa
@@ -417,11 +417,13 @@ Your newly created PKI dir is: $EASYRSA_PKI
 build_ca() {
 	opts=""
 	sub_ca=""
+	nopass=""
 	crypto="-aes256"
+	crypto_opts=""
 	while [ -n "$1" ]; do
 		case "$1" in
-			nopass) opts="$opts -nodes " ;;
 			subca) sub_ca=1 ;;
+			nopass) nopass=1 ;;
 			*) warn "Ignoring unknown command option: '$1'" ;;
 		esac
 		shift
@@ -466,35 +468,48 @@ current CA keypair. If you intended to start a new CA, run init-pki first."
 	[ "$EASYRSA_BATCH" ] && opts="$opts -batch" || export EASYRSA_REQ_CN="Easy-RSA CA"
 
 	out_key_tmp="$(mktemp "$out_key.XXXXXXXXXX")"; EASYRSA_TEMP_FILE_2="$out_key_tmp"
-	# shellcheck disable=SC2154
-	out_key_pass_tmp="$(mktemp "$out_key_pass.XXXXXXXXXX")"; EASYRSA_TEMP_FILE_3="$out_key_pass_tmp"
 	out_file_tmp="$(mktemp "$out_file.XXXXXXXXXX")"; EASYRSA_TEMP_FILE_3="$out_file_tmp"
-	printf "Enter New CA Key Passphrase: "
-	stty -echo
-	read -r kpass
-	stty echo
-	echo
-	printf "Re-Enter New CA Key Passphrase: "
-	stty -echo
-	read -r kpass2
-	stty echo
-	echo
-	if [ "$kpass" = "$kpass2" ];
-	then
-		printf "%s" "$kpass" > "$out_key_pass_tmp"
-	else
-		die "Passphrases do not match."
+	# Get password from user if necessary
+	if [ ! $nopass ]; then
+		out_key_pass_tmp="$(mktemp)"; EASYRSA_TEMP_FILE_3="$out_key_pass_tmp"
+		printf "Enter New CA Key Passphrase: "
+		stty -echo
+		read -r kpass
+		stty echo
+		echo
+		printf "Re-Enter New CA Key Passphrase: "
+		stty -echo
+		read -r kpass2
+		stty echo
+		echo
+		if [ "$kpass" = "$kpass2" ];
+		then
+			printf "%s" "$kpass" > "$out_key_pass_tmp"
+		else
+			die "Passphrases do not match."
+		fi
 	fi
+
 	# create the CA key using AES256
-	"$EASYRSA_OPENSSL" genrsa -aes256 -out "$out_key_tmp" -passout file:"$out_key_pass_tmp"
+	[ ! $nopass ] && crypto_opts="$crypto -passout file:$out_key_pass_tmp"
+	if [ "$EASYRSA_ALGO" = "rsa" ]; then
+		#shellcheck disable=SC2086
+		"$EASYRSA_OPENSSL" genrsa -out "$out_key_tmp" $crypto_opts "$EASYRSA_ALGO_PARAMS"
+	elif [ "$EASYRSA_ALGO" = "ec" ]; then
+		#shellcheck disable=SC2086
+		"$EASYRSA_OPENSSL" ecparam -in "$EASYRSA_ALGO_PARAMS" -genkey | \
+			"$EASYRSA_OPENSSL" ec -out "$out_key_tmp" $crypto_opts
+	fi
 	# create the CA keypair:
+	[ ! $nopass ] && crypto_opts="-passin file:$out_key_pass_tmp"
 	#shellcheck disable=SC2086
 	"$EASYRSA_OPENSSL" req -utf8 -new -key "$out_key_tmp" \
-		-config "$EASYRSA_SSL_CONF" -keyout "$out_key_tmp" -out "$out_file_tmp" -passin file:"$out_key_pass_tmp" $opts || \
+		-config "$EASYRSA_SSL_CONF" -keyout "$out_key_tmp" -out "$out_file_tmp" $crypto_opts $opts || \
 		die "Failed to build the CA"
+
 	mv "$out_key_tmp" "$out_key"; EASYRSA_TEMP_FILE_2=
 	mv "$out_file_tmp" "$out_file"; EASYRSA_TEMP_FILE_3=
-	rm "$out_key_pass_tmp"
+	[ -f "$out_key_pass_tmp" ] && rm "$out_key_pass_tmp"
 
 	# Success messages
 	if [ $sub_ca ]; then
@@ -897,16 +912,18 @@ Missing key expected at: $key_in"
 		fi
 
 		# export the p12:
+		# shellcheck disable=SC2086
 		"$EASYRSA_OPENSSL" pkcs12 -in "$crt_in" -inkey "$key_in" -export \
-			-out "$pkcs_out" "$pkcs_opts" || die "\
+			-out "$pkcs_out" $pkcs_opts || die "\
 Export of p12 failed: see above for related openssl errors."
 	;;
 	p7)
 		pkcs_out="$EASYRSA_PKI/issued/$short_name.p7b"
 
 		# export the p7:
+		# shellcheck disable=SC2086
 		"$EASYRSA_OPENSSL" crl2pkcs7 -nocrl -certfile "$crt_in" \
-			-out "$pkcs_out" "$pkcs_opts" || die "\
+			-out "$pkcs_out" $pkcs_opts || die "\
 Export of p7 failed: see above for related openssl errors."
 	;;
 esac